


Institutional Archive of the Naval Postgraduate School 





Calhoun: The NPS Institutional Archive 
DSpace Repository 


Theses and Dissertations 1. Thesis and Dissertation Collection, all items 


1997-09 


A Management System for Heterogeneous 
Networks (MSHN) security analysis 


English, John Paul 


Monterey, California. Naval Postgraduate School 


http://ndl.handle.net/10945/8646 


Downloaded from NPS Archive: Calhoun 


Calhoun is the Naval Postgraduate School's public access digital repository for 
i (8 D U DLEY research materials and institutional publications created by the NPS community. 
«ist : Calhoun is named for Professor of Mathematics Guy K. Calhoun, NPS's first 


NY KNOX appointed — and published -- scholarly author. 

| | LIBRARY Dudley Knox Library / Naval Postgraduate School 

411 Dyer Road / 1 University Circle 
Monterey, California USA 93943 





http://www.nps.edu/library 


cs 


NPS ARCHIVE 
1997.09 ae 
ENGLISH, J. RT 





























; rd ict ttyl Sree 
ier yY Y) 4 5 DR a ee rey 
OAL se pF i ¥ 9id 23 0 Gnd. Baoe ee ae a. ER * eer 
re ruta i X ore eI enh tad ron ma Slserr ty 
ae re 4, * ’ oo) CO wy: x wwe Be OP 

Ea or 2 ae. Ng " MOP wh a Bah od? Pas Le Petnad phebes 
ay Mh tit Te Satire) pee SRR ete a eh ester 
nt bee ake fe ® fl Ls s é. Pee een snare ry P 

E rt oT hd 


Poet) Sector oo 

ery ba eerie 
Peers eee err rae. 

ied etien ohn Sebo dra ednd tae 
LS Vets ee ead ee ON 
Fol. Dp .3 55 vol ent mth hd Sad a WF ed opt 
eer Cher ee oe rd IG: 8 0.4.0 4 Ae as 
ba ad to gk ta! Heep Pt ode] A} 4 aones ay peed aed ade tae) P 
RERAR PRP Pe pees Si RRer Reenter 
ra e Po « wel ye, Peal ab 
: at s ee i ; 


tee 













Pia 
Perey 









MY ae Pe) ere Lt eT) ok) e. eet 
= Gere y rs Soa ere ae ey eat Sa we 
ery 


ort og wr ae Pt rw ent 
oe PIE PO Me Reh el pend oie 











<8 = aoe 


ote nu ne 




























































































































































































































































































































































































































ERE or Adept ee Pe ee meer Geese Pe rte 
Pd an’ irr . han ld " . [bie te J Na J 
OS ana ts ie muh ae > ay iu it pe Dy Ss Tee hal oe ed Satara ped of #4 ~ pternt te ee cette Pl 
P ‘ ete bt hey it iy A Pee 1 ¥ foe ert ooo BRD Pe rey yr ie esr) Pry Ca Mendy Se RR eth rete 
: , he a oo ‘, CATT Sea Cre) Or eae) in Po eee eet ee Oe a ures | Ct highs Chee ee | pape ty Pn hepa ea Panos tr Sar Yi inadee tad tial. te 
ot | rin Y 1% ee Oe a vi eer ees: yy cast re aL ad u Sry ete Ld ehaeOm thd le | a! ye ub Tey ee RE Le eared Rev areaee ss 
Ba f 4s A Ap 8 t ae | a te FTO as selene St BS a a mL ery ey et tr San A TTR Y Pn LeS ros ae an haa 0 AB enabub odes et ap et ene 
s Pa ar) “9° O ig Pt Pi Ss Le ee aN Ea a a ‘etn 2 sabe pear Pr Te eee rrr ror Yr al apie nes PEt ed 2 aia Std heel es Pata] owed yt Py | eed U hee to nd ao trerergpe pce ly 
A . r Py 01 8,40: 5 ons i = r t] hod by hay | 1 le Pp fer tdi ted Get a oe mie Ms Per yt Read ttt bg Pee ee met ede oe OT) A erage Rew O50 aco ree peat 
- re” » ar) hes | es oy ert a Pa re ey i ee a 4 i} oa Awe, 4 o$09.05'%0 be SPs fi idime sla eT Te ke pry eeacnt phd yn beady 
D Y : le AS eT at bd bd ; LT ok Lid ey at ohare aT bh edghand bl att tabla et he kl ik et ee eT) Th eu Pty le ay a ©) PPD Dd ime ISN Rie Wy aed Drlbse DAe 
A O eve a er oere gs Swe Pha oa deed fe) AY \ ‘ 4 tel Le re Let, te Meth oe Be Cer a alate Peri eit te eed Cae tw Po nad: bed Ro arr te) opt areal. yeh NApon hed od 
. ha i] Fs Pu b ete wh f op a 4 r ae Le Ch at a as ae % x ae) serrated, ey! aoa eae ie Sarre err Fel SASS 
. oa ae a or Sey fer Sqr in af en és! eek te aed. re " ® Pedal alt tet ue ati hie Wd dt bot od bere ob ete ek eee ee 
, P ene A A cry) ns ay ee er | i be oa oshet 6 pst bem: at ped rey er Preece rs (er lesb rp. ae ane Fares gd betes eRe, Bade He adlbs S 
™ pet Jee eC ee Ure Oar ae 4 an re Arar) Ame tee he se Bye We saat et ee “Pah '@ .9:f.W.g Nee * ‘J Trek Sry pati deer ae Weel hoe et Pe te 8 Oe 
Pr ’ ee | Sa fe ts e ro U 5 a he ee KP fpae eo Sa) aie MoMe*ui Oy itt "0.040 9 48 do Sao) meeys sar) ental Cre ace pee ye! rte Direee irene ere 
ar) 5 ar) a, ee « as Wee se ee = ise Teale we lekehig go, er a ee Pl oat in) y eet ted ti Pt or pat ae Fs Rutroi bes tS ude boat al adele TRL) Pad Bisrodsrh 8 x’ 
Fi F Pe ey ee A a] rr Si» ry 5 rr , rch Pace ee ie ot, ree rir x oY Aa ie ome Parent ae aie, uke nals Satta. ie  ailel can oOo del couteh pan ted eel kl he pe oe ax 
o . 5 naa Thee ae | rae Ler eer tere yy or oe «s ed ter ee eae | PEs eee el a Pepe Lak eral Thy ab phs boa tetera tk RT ee ee er 
S , , ‘ Dan ted, e001 Nerers Vries ates De f;¢ aut ately pe ly oe at Pern Te ee tee 4 weber LEON eh AP a Bi od oe yBcdgre and, de pytid ys > 
A o Pa . re) oe free ST ars SP apes foe td Ty oerer ears ide Fash etedte % Set mae Poe Teena PRT wry ad $e berated Feed wh Ab peep pw tact a eae 
é Crh ¢ ore geen at at St erere COPS Ser Seri fo pent ps Want a ort SRR eos | ei Re Poet ee vite Bros oa re LLP. La Son ere eee 
as é an 4e% ro) 7 iy Ry re | scot’: ee ms ie ee ery Pd id | Hak Ce ay ar ty Pl Ty] odo dy eT . pyre Pron Prtahe: a, 8,06 cs 
; 3a tgs t ss Hi Hd heidi oH of Rone Bris | 8, ry rea Ward Aids, Bs ert Ys} BITE Oh Moy Pit prene eles Fake ose Redartereat CPO ee preteen 
F ; h Ay Mes PE ae ia PhS oF DLS oh hood. Oy Srey Pt ee neta tate Lethe Pesta yt POTTY tint te tol ad ae 9 SO U-we Bote 
A * ' goo * , oa eer Late Pi | os C he ea “oP sds BA ee oT] Oe ee at el eth Bh els TL Pabedocs Pr yee £e%4 Ile iaga Lt ehh af 
, f Shy eee bts Saat ef Fiat a Se Tae ert Bye oe er yt rope ais rwhp teat eee 
* ar) 14 Tee er Lee Peer iy eat oe an itt 4 ree hy - 7 aa Nhedeye brabileeads rer tre) re ee Rie re—3 Ww Py err RT ee 
aaa . &, es CY Je rer’ Setar wits Bee ry seis Co od ohn Nites oke retea tte tte a yr yy mack dere) vata Se 
oa oa | ar | ; : ce tee | 4 Pr 3° Ps rarer os AF ny ery Be adel, re edad. wot Gr? EX ctrveee | tee lo er rane pte 
* a Cit 98> who Mn Cn) Sry pee Ct ey ete ery tJQe ah a ait el alate ae er ete yee) ee reery Pape ire tate tei a irae 
A Far ae Pre eee tron Hy Hel eegacteieder @ eu 3 ee ES TP PTC hee ore hates Ce rat ae vara tar Shem ted See bee ST eta y To SESS fee Pe 1S tap re re 
ar i A fe Le mT ee ee rea ie tll Ur ae Ue ate ates ont aati me eT ee cen ae kobe att eT) Catan alesse 
a 8 ¢ » ry ¢ Moder, re i are rr? bom ree to Tar) eh BAY or} seid wis eb be edad tek a oe © res thee bl Lt eee ee ee el 
ee TT CIMT ee eR Te th De ean BEL ete Ans ray) hy Nida dah. Ate . ON TTR Whit tein waning banter ahi Nudeoemabs 1 SO Forte hen Ke EP be ev ; 
A rl i 4. P A iB ee’ * es at t 54 $ Boe tototd WE oe wlohe Yo yp Lee A Pores t re aes Pgr.t eh Bidedisel oi pty ide be ot ve At 6? @ oAeS Se Mth d Bebb 
on ae er , ratal 98 aate Do tgs Ce Lr ae oe es ro ee See ys orye ot] ul on pe ou DL SP UT aCe yy ae tah ee po eds mare aN oo) epee ei) thet & 
n a ary 8 a Cra MU e 4.4 yee Th » 8 ihe Oe ee Oe PyerT Ft ery xe ¥ Ata.’ Page Veal ol 88 free ehcdy ee re oe MW%e wlacans dis ar Ade a 
» 4 5 ° ae u s 4 D a L a ry a a o,,' te We ieee es 1g ah ar ly date Fastedy Ry E261 Bee gehet 4 ore) ee er) Pee Nicer a ae pe 
ae A He . n . Pn) as Vereraces § Cee ee ee Se eee i4¢ 5 "Neh tes, WS es a$eg iy | vouslueans x ae 
Py * P b OD ‘ ry fe tr g* ter iF » Py As eh rr ] re ee es tore 8 Smerws, mn 3 am | ot Rew gts ts abo OM Poteretei grat Mest g3 oat ot, Tebenghd 
te ® aa " Pa ee ry ° : Pan | o s 6 amr Per Wnty, ok Se pee Vrs beBd.9 Fercq, Uytgtenres rh Hin te pers eho -e tad ioe Pee av 
. A A . F er Pear Uy Ter ee ee rae t ars wt it aon) re gee et er reer Dabad | P eth ee 4 ST Tee 
re a ee 5 7 te a ee | «4 re Pee. Sur: at Pret eee ye ah re a og: aa wth) Ag BS at re | Ua aay 
Py ° 5 ® ae ny i a e* 8 r ‘es ¢ ry . Py “ee i | ae Py Le 4 hy “486 Phd or Pittyard ete yt metas a yi wot frase nye 
oe + 8 a a Nae o gt eR Sate stares eee cee adios chiastaviter icice ens haradetientt. ™ foe Neee +e rereteet a Sasa ot vfs Sey) ree . 
: . ee | dT} an F af ht) ' > NS leg 8 i? en) i a) Y ; Ls Lda ek dees rv he a Ri od oe ty 3h CPE er WeeeyU vake- rears il BA ehemeion hed, 
nr) ° e 4 rn er | ry fri hy J ee eee Per ihe eee Lee Ts a “ 5 Th i co eg Se htekal © A ey en YT PY A ig ao rr 1 Toa ts sree 
- Fj Dar ee ry Fic ulema eee a rk .? er S er ry iy abe a or es ee oe aN hie tte int tae Ree pre te A eae ei 
A - = Pr r cuits os ar Pry titer at hy, A Sb cdgoade Teesatases a Wa 8s , Fe Se ae Te Mont Prete me Sen db Aohe .eahe 
ar A A ) 8 » na) a ' ‘ ne ho ry O°? on ANG roy $7 . LP om t+¢to8 ae S. » Ww te dG ee ee | aT es ey 0 Newt, er dees ntpabet 1" 
fi ey Fleer Is , ee | 4%0 0 45 we 7 othe vt ie} rar : . 0 eoed od ere. ort Tra ax eee ah 8 See Da pry New OC Se. 0. Pate 
Rife oe F Pye i P aattr ge eigu sit ee eer Pe TCR ares be Mt hed aCe Pa PES AC Nee ie tally he wo Beas ei rm it t Or oe eee VERE RO, wt PO ae 
r a 1 tg) & ¢ oO _ a ar r @4 *,0,6 +P Ch ee tn tant Hee Ha . Pade Dae Se an Fars bide om - Pi , al ve Sete ee ee ead wile Se ote 
- r ry e P ae q Foot gf tgs Se v4 D ror oe qeatsne he LE ate ek he on a, a at pea aL a See bee) dab af ed toe, ee eh ort 
ry Ree bie r ae i i Te ry P Cs 4 a bl bad . Pat Pe Pi =T ero 5S = hepa “a3 “het he ite Seed hee 2 te 5 beat ee ee ee 
e 4 ee J a Te eT | s PE LI greek eet a rr ft e 4 oe 7 , LE ky ee An! o® fi Pt vies a aa, 
F " nr e rt eg! iY P erat ey mae a ear CON AY. Eas: ae a <P} a et te ry ioe ; ee yet es 
r) ry a | m r) ae a) s de 1 ar 1} s PSL See ee ee Le eh Ae 7 ra . Sart rT «00 -ace te Re eet dee phat tht od ae 
® ° Ar Sr oe ‘ s A Fe ee rear se A Or ee a | Go Wetimahe” Be PeeBenden Meende nd Midge NaN St, x 7 Wy tebe a er et Yr en tae 
F 5 = r i) LM - b "eo in A otbe mar ¥.3) i» A och he “ie et ed ° Rigg hs a4 ete ok ae Oe CL i eee 
A air 1 3 a aa Oe Pepe aye cay ; cde Rat ented ORS oe ie See ol aL 
; A p ar x ‘ Lear Prt A Bt PF Be 3 A oe NES ee 
= P a ae . i art} i ae Par eft, 64 St 6 a) Rey] F ht FP AWB 
ry F ; re r} e%e ra © 168,82 Cony tacers, wh", se®) tuts Se aka de fee ya :, rT ry Sa Pe 
Fi A ] PY hd | ‘ ary 1 A) M F C Boks Wl eee hy Wo otgs¢ ores. let ao Pa ey mn ~ damnit ) te 
o 1°¢ e ° i wo « * 3 a erry Teri Th * ‘ Tit) Ww) ? pt bat ed os ete' wt a ee og rT tk Scr et te ere ar 
* bs r Th ry ad 4 a ty st 98 Cras) ihe 4 rs J Ce $2, ond, poe Pte Le tebe cla) = Fe tee ie eee ote Bp 
z A oop fog a8 , ’ _ ie biad oe bas Mech Wok tia hey ite =). oad 08 Ye PRU aad ribioe eben ey 
D PS a | pe rin FI 7 ae AO te 3 ef Seaolts ae Yate ates ry f yetends ee , ot 
a A tee oe A % om . tar 2 Aub SO te tal > + ate Sumub ohmet 4 | Sire eo <r 
Pay Fy a} ° qa got 8g tt ae oP) a wa tE deh 08 at b,00%, pee aro Pk Rerkthte. = 
; ; ; ee S my ‘ ui PPR Y Mah eh BSP I eat 
r 8 . W ‘ ary ¢ ef Ps hd *) Pe Hae hrs i TT a 
ui . bs ih ° P hoot <e C: us 
ba i} ry BA 04 e%ehs k 
a | i 4 ey 1 
e om * at O 
~ A sees Parte) meee 
P F ‘ Oy | re %e% 9 
n ® r ey Pa. r 
4 Py vay re 
) : nt i » a a en 
| . { e F ® ¢ t stets ots 
‘ fre 9 iS jp “e Rh «Ev 
o. t : € P 7.) F] Se ir ta erysete- 
a % Fi b 1 , rh a cid es 
- "i a ° 43 5 5 arn! upp rae] Bel Uae) 
r s y as 6 ot O Te vasa 
e " ¢ y 1 m ; ‘ %f 4 
* r * A T) a on ry "a be aa Pr) 
% 5 8 rr a ; ' He aL a 
. - | e F Far as 
r} bd ry “ Ren re 
a ae ed pe ran 
‘ 7 a 
e "| F ; 
- f 
M e 
Py ss ‘ a’ j 
UY 2 A © 
. 
2 erie 
UY ta ~ 
4 Cy 
e rs 8 & 
r a ic 
4 e 
J 
° ? 
- A 
é Y ” 
, sd 
ae " { Tay aaa? 
i be " ° 
Phd J ’ q 
bi bf ° of ° iM J + 
. 4 ry i 
PP aa a i 
bY s e J . « 
] o . | 
ae %o* P Po ‘ n re 
om Pree) ee 
s] % 8 4 ‘ ® 
a rf F ne 9 i Ln bs 4 
° J re a 
° . Pi . P [ty 
*  d a ra Fi ' = ae ' A 
4 é bs s P ed ' eC as 
¢ : A Td $ : . $ 
, ry " m 5 le aS od te ae] cll é eae : 
¢ ee '¥ rh) s #e fe 4h a Me gp rat 
r’ 2 fe ¢ 4 «¢ rr} 7 LF a og od Te Ld | 0 a 4 ve a4 Pe he] 
rd Lv ber eré ri H Lr asa gt 2 ne LPL) a oe | ed el Te 7 
5 r r} Tr oer 4 es ARTA a 
ry Pr ‘ a | i 
4s . 
s 
e 
p A , 
J e rd oi bd A "¢ 
- ar Ja yaad i Cad Le 
a le ute * gard 4 es PUA 4408 
tI bd ° ! Jui t rh oer re hae | « 
ry Py r hy Lee | rd he a | nd 
S ra a bey BO Cig. 1 LW 
> a) "? @tbt ye" A-*9 hg Lhe oe ok ee | oe 
A . r e gee, a i mathe ete es 
* 4 Fr i Po ee ed bo Le ’ 
ry 4 LP n Cal ? . P 
Py a 
if 
° i J ’ 
“fi r oe eae] ed Pia He a Hes. 
A F Ph 0 7 Bots , bt Le Le ae bah ie bel be he be 
Fy ry we * , rae) Car i " 19 At eg J 
Fy ar a e on) PCT he 3; pedal ide A ae 
a) ° ht hae ial | aa rat tere Tey eles @ a ; 
he ea * iD ta A Ae ear ar Ao ee Pe Pe) Pa nee a . . : : : ae aeaty Son 
a ° o ® r C { “es hats i os Lae | | \ _ fs ta Le. 
its . ’ Lae ro ae ire a +) a rs Ps : é eth haf ' se) care Oe a 
e . . 4 1 © ew tete 4 . { al! G 
ny " 6 oD F or ny ad tat 2. 
i ri s° i h 
Le wu ; here Pot Pie - Ls 
«+ @e jeer * A a ’ Mp etal a te LA’ p ' ‘ e 4 at 
¢ ra. F F F 7 of ae ee rh ee ee a ee Ue et Maks MIN EO es Ls | de tien Mhoah bile 4 
. ra ° F) 7 P " oe | a a _ + a's? @« ! 4 ’ ah LLL bat apd 4 Bae H #22" pal ae og 
A ra A e P a soy od Pre rr ar i rir) e as ee : ; ee OA a atk he o 
ee ks f Ja a ° eo" Oger. g. & ‘ #  @ FBG gae0 £98 vies f ) HS ad tg s 
v4 Pa ’ Pa F Pr en Pe e", Peer) ee Mg a ee ; 2 ' 
2 ; Lr) a a er) 1e #4 1#e a | 1a fetes #04 1 Wiley Le LE 
be oa eae f q % ese 1 4 hes i i ice i! M4 a%eras Ae 
Pee Py e r or so ote? oo shee 2 ' 1G oo J iy 
ra Py Fy ra ‘ a . ber i: hee ry e e Pr r a ety) 
’ aT ol Fd ° , 7 nS a es Le ee) au 
a r or ty ee Pr hee he ie 
® 4 a eee 
4 F ae) eq? Hy ' 
5 a de bl Le ae) 1¢ i 7 Pe a 
mer ‘ ta : se C L MHP Lim Oc se coe 4 ; fh rt ty “. ae er geyuy 
° F F we ane gies oF eg ; z t : , rr aa : t. ee be fe MEH ae 
n i a. be Le Dre F s 
raat hae TA a ie nae ; F beg sth Pao Piotr 
° F Pe ee OT rt eee ar ne bs ‘ies Ee iti 
mie ‘ ree eae et4ee ey Rhee) Me 4! et LL be] rl ea bs ey ts i 
as Shae fed Dt Ds OT LT a) : 4 Le La 
eeee a ) Oe ra | re ee Ler a ee aS ° EAL hd i ml 
3 a> Alina’ r ae ae i casio SEE Gd Fo Te oot Mao 
é PS ° f ae ale ty & vs Po Peng pean ee f hat va" 
a . DUO rea prt ace Tyemgrate te shee Agtgeatetocss eather kl) % P , sa ati 
a) fs) Lo wae ce f ee PG Be avg gy 70 ote wel ogee aiid Uh | in eager ms i} he the i 
A her Wy PORE TCCRee 1 er Ly eee erst it Mh be OS bi ve re 
r ® D ° Oe Gh oO We dt” "oy Serra are a eee Lis) eke rary f era A la a ; si 
a ‘ i rs at) mr) a Le 0 be | PT) Dap provers gl ze, pe ee Imes ey ee | 
2 ry ° re ee ed a] o chy ey cry « ie wh lp se os BF itary 8 Cd 
P Py ‘ 1 . r M gr> run Fi oe i Lee On Phe Ce Lo) 
Cay eat eee ie | reel em | e * 8 Cha ht ae Le ee ey 92 °F #590 91 eee I biota Oh d,| 
2 aera LF) Pee | Oo see hy rt ie ie a? ah p wey gs * Faw ae | ree Aah oe 
P ann Ot rar | an) Avs fe wher 8 Py eee: eo greighy ae AE dp i 
rear 1 e Fi A CE tee LP (ery | ee) sthig te te th Oe Pan car) ss pile eR ee | 
a 6 3 ae Py PP Te ; "yf ote gt eI iri P Pa: El Mb s ag mete iets 
7 9 | i Teme Jee fon e ‘ad e ne Ae irra ‘1 rte "Te oo ‘ * r r ‘ be | | f phrh on tose rite tn 
e a cr] @° eo6 et Pare arr Ld res | a he Le ead gts at { Che add Let ee yet Ae et vi 
A Py rf ee Wy Le ad er Pes ead ee the ye Shee i Pho are ha 
® ed i bo wate Pie WF Mrhedgh gee NOpeole ¢ grits Gi Pa pa | ph nee 
7 Chea wus oe jaa! ae ” rf} Le A ea eo L] ry ea 
ret ene ar 8 Wee Ss Cry ee RL ee Oe ay 5 NS : ray) d ate Ss “wv ae 
r 4s off 5 © of hr a) Typey Rh aweyey ems Le OLS eT) ter AD od YF ay r A eh oe 1 ms 1 a 
a) el eg Ate Cy LL ae eee ey ry “ene I wu ope 48 ple - a | 1. 5 
ar n i ee fo eg 4 @*9% be y oF opsece ty ty ody Pa aey iS 
e ° o ee LT 5 Tepes La ee hehe B - Pek cr 
O Ti ed oO De sry te AU Or ery syiet bas ¢ Dir rere 
rT ® | 6 Cs ae ete oo See ovis Pr maT) ey # Wtrer sly un ri 5 a tr Stites 
pose F Ladd ee ee, LL 2 | Ds PR PY Py ae BH 5 & heey be Here cs fy A 
© 4 £ a | ry rr ery Pay a e gt tne PT Ptr ‘eee eu on pe as aM Pe ot ak Sa So | oe tery 
ar) i a ee be J Ce ee Shae 2 2 Pe Be ah TO ee LB : F504 a? alg tel Pe lel ah Laake 
ee A “nm fe 1h ee Oe |e Be PP TY LT iad re ane . rh hy Ee BE] preys 8904 § Her qmeser 
© oe ee bs Le bt | cD ae + ns d %20 Fi oft, 0 ate othe Doak te a AR EW are t iy. PP Mh eke ke een ee 
PrP) ae Sk} i] A ‘ i RL Dae) , re) © 5%e" 4 
eae a} =i, ofe eo fy ar og ar ot fry Ly ot i onsG ‘ YTS tt ba a ay ae i 5 ry be we aay ti] ‘i Pa 
P ° on » te 6 Pew ra P rae " b pease Vea i “ iu K Mt be 4 “” 
a ° fa te Weak ae Hee ro a n 4 AT i AS, A HM 1b te body tery 
ee ern rh OPES 1 oat ie eon : Lh F ; + ty ah at moet reneet heey | 
F a) rd LiL) a e oe #*eoe ae bd ‘° : 4 ? i a - mesh oy a 
FY Pe ae Ae 5 chy gel oF A 3 # eer f aay Aan bY lg ra , ve Li A oo aye 
P a 4 Ls *% ' oats 8 A aL wipe ro br 7 Le CT a Rees bad 
eet - © tee ot e el? bale bok ‘ CREE ES Hepat dA 
eulee os et an Se Sh 3 gay > 240 ep Sieben wis i 
° i os ey er ry 1 a ee Be ea is 4 . ° ou R 4 Le. me pe ll 
r Cs Le Be ae | a) ) _ ane @ © ot Ameets o a 4 Ate °@ A % a 
r eee ¢ OS Tes Bes eee A fies fr 
" ene tae DP | he iris t 4 td i 
4 a ee ee a ot Rd b 
ra) her eo 





i 





. 
HU ae ' 
SA i ay 








ey Hen yi 
"a! ier La Pe 
a A he 


be * Oe : NA 
; y } Ay 8 va mee is ie ry Rb 
oe nee cc Se A uae a ee a 





Pd AY Hi ah 










vA eae 






a] 
<7 1 Bot eta hi Ros Nahe , s 
Rey - ay D Me + ti be] Te : ee fl Ls te ce hale & CBs Sopra re 
+ AY RD EME Py ty OMe atl os tt capa reMb ye RRNA ML ware yt ate 
Bt 7 ) ere 


Ratan ea8 






Ly ae 
Bo ft £ BT os 
ar 





DUDLEY KNO* LIRRARY 
NAVAL POSTGRALUATE SCHOOL 
MONTEREY CA 93943-5101 








NAVAL POSTGRADUATE SCHOOL 
Monterey, California 





THESIS 


A MANAGEMENT SYSTEM FOR 
HETEROGENEOUS NETWORKS (MSHN) 
SECURITY ANALYSIS 
by 


John Paul English 


September, 1997 


Thesis Advisor: Cynthia E. Irvine 
Thesis Co-Advisor: Taylor Kidd 





Approved for public release; distribution is unlimited. 








REPORT DOCUMENTATION PAGE 
OMB No. 0704-0188 


Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, 
searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments 
regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington 
headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to 
the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503. 


1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED 
September 1997 Master’s Thesis 


4. TITLE AND SUBTITLE §. FUNDING NUMBERS 
A Management System for Heterogeneous Networks (MSHN) Security Analysis 


6. AUTHOR(S) 
English, John Paul 


| 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 
| Naval Postgraduate School 
Monterey, CA 93943-5000 






















8. PERFORMING ORGANIZATION 
REPORT NUMBER 














9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING / MONITORING 


AGENCY REPORT NUMBER 





The views expressed in this thesis are those of the author and do not reflect the official policy or position of the Department of 
Defense or the U.S. Government. 


12a. DISTRIBUTION / AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE 
Approved for public release; distribution unlimited. 
13. ABSTRACT (maximum 200 words) 


A team of interdisciplinary experts funded by DARPA is in the process of developing a Resource Management System 
termed MSHN (a Management System for Heterogeneous Networks). MSHN’s primary function is to accept a sequence of jobs, 
and intelligently determine what jobs should be executed on which machines and when. It is designed to take both machine 
affinity and loads into account, thus providing superior performance and Quality of Service (QoS). The current prototype of 
MSHN does not provide protection against the threats of inadvertent disclosure and corruption of sensitive information and 
resources. A mgorous security analysis of MSHN is the first step required to successfully incorporate security into the MSHN 
project. The approach taken was to analyze MSHN’s architecture, information flow diagrams and user interfaces and explain 
how fundamental security concepts may be applied to MSHN. By exercising the MSHN simulator, this work was able to expose 
many security weaknesses and outline conceivable methods of exploitation. As a result of this effort, a security policy tailored to 
MSHN is proposed, a functional breakout process based on the principle of least privilege between common user interface 
capabilities and administration capabilities is provided, and finally design recommendations for the incorporation of security into 

presented 
14. SUBJECT TERMS 








15. NUMBER OF 


MSHN, Security Analysis, Quality of Service, Security Policy, Interface Assessment PAGES 
108 


11. SUPPLEMENTARY NOTES 
| 
: 


16. PRICE CODE 


18. SECURITY CLASSIFICATION OF 20. LIMITATION OF 


i 17. SECURITY 19. SECURITY CLASSIFI- CATION 





CLASSIFICATION OF REPORT Me 2 ce 7 OF ABSTRACT ABSTRACT 
Unclassified Se eae Unclassified UL 
/7540-01-280-5500 Standard Form 298 
(Rev. 2-89) 


Prescribed by ANSI 
Std. 239-18 





Approved for public release; distribution is unlimited 
A MANAGEMENT SYSTEM FOR HETEROGENEOUS NETWORKS (MSHN) 
SECURITY ANALYSIS 
John P. English 
Lieutenant, United States Navy Reserve 
B.S., Massachusetts Maritime Academy, 1987 
Submitted in partial fulfillment of the 
requirements for the degree of 
MASTER OF SCIENCE IN COMPUTER SCIENCE 


from the 


NAVAL POSTGRADUATE SCHOOL 
September 1997 


MPs ARCHIVE 
LAA17. ON 
ESMOLISH A. 





ABSTRACT 


A team of interdisciplinary experts funded by DARPA is in the process of 
developing a Resource Management System termed MSHN (a Management System for 
Heterogeneous Networks). MSHN’s primary function 1s to accept a sequence of jobs, and 
intelligently determine what jobs should be executed on which machines and when. It is 
designed to take both machine affinity and loads into account, thus providing superior 
performance and Quality of Service (QoS). The current prototype of MSHN does not 
provide protection against the threats of inadvertent disclosure and corruption of sensitive 
information and resources. A rigorous security analysis of MSHN is the first step required 
to successfully incorporate security into the MSHN project. 

The approach taken was to analyze MSHN’s architecture, information flow 
diagrams and user interfaces and explain how fundamental security concepts may be 
applied to MSHN. By exercising the MSHN simulator, this work was able to expose 
many security weaknesses and outline conceivable methods of exploitation. 

As a result of this effort, a security policy tailored to MSHN is proposed, a 
functional breakout process based on the principle of least privilege between common user 
interface capabilities and administration capabilities is provided, and finally design 


recommendations for the incorporation of security into MSHN are presented. 





ae INTRODUCTION OS SSSSSSSHSFEHSHSEHSSESEHSESSEHH HHH SHHHSEH SH SSHSHSSSHSSHESSHSOSSSSSSSHSHSSESHESHOSSHSSHSCHHSSHSHHSHSCEHHSESHSEOSEEHOEOEES 1 
PLU dicate RR Ose eee ns 5352. 22 00264 ~y ens ac8egee---++-- 00-0 asevsnanoooacdancabtuaeee seats: tte ame e tT Mee ] 
PE Es OFS Gs RG) OSI ee ee ts coe re eee so asc 25 a'se cco eeudenddea~sessescdensssa«++saua caeeemuldeues:. 0.2 sQgeemmmnmMMeme est iene. 2 
Pe ESCOPE SEIMULATIONS. ANDIASSUMPTIONS 20.0 000000ccacainssu0e.+00 deeacdeabsesnescawidseuus susp saagueeeeeenn ec. 3 
1) eae GIN eh OE SIRT SIS ocr cy. se 4s cs soessessnosdasdiness ess sysoeossecesessecsancassnenss stcqnenalseueuneiemacucta: 3 

BRN) COLON Octet cc tem MM 60-2 acis «vas dee step Mee Re ceetcs suscbes vensess<cedeecnses st ttianssadttes OoSEee OnE vis 3 
BFS FO 1) maine Tee ohn ooo oss ive se oud ssessteesseeu oss sooessesskeacestuasaeseeeeeiicutt ino. cectteeetesss 3 
BR CORCHVICWHOTRG@OIIIDINICL SCCUIELY, a1 oete eae ccc 28 ss gethavnnsos+s ss cdedossissoxesuessdiesesessesesnssauescedaceUaceensees 3 
A SOLA NEVO f SC MVICE arene onc een ee ao Sear Perce oonc ces viculessiceavaendenbeceteecresa vaever« 4 
De SeCurilvee a evan Interpretation fOr MISTIIN aie egee, 11 sssssessaasssicensesvouescesesednues---02200.00000sseeuaess 4 
PMR ITEC COMA IV SI SPOR eee in ccc ecs sh atp as eee e eee RE aa ae Sea susp aside ceais 3ivest Ness oeanénes endless eseseaee ~ 
Pm CORE 1Ls) 10) 1 SMP ee ees oc 5855s Sanat sw sdeeSS SOY o 056 0a <4is oh'da 4 s spas wbinnn coca saemeeemeeemtaaers ieencdcasddenetecxie« 5 

Uf. MSHN PROFILE OSS SOSSOSFH8O8SHEHHHHHHSHHHEHEEHOS HOD OT HEEHHHEHHHOTS OHHH EHHHHEHEHHEHDHHHEHHHEEHEHHOHHEOHEHEBEHOHOEBEESD 7 

A. SET TING roe rr or oa oie sana s sao vaivalewemaeiias sages s sanes eine vauidsasan ce cies com eeespees cose vaneness cateesreces cvestnsesenweesderesicesseses 7 
JE ag leks 2 oe, EC as pn eee enn nec E Er Poor ere Pe POPPE CEPR Yr oc cree ror ee recon cncr eee 7 
PSG ICAU ON FOINE WOON sscse beste eon cet otic as'sauveisdudes dy spobeeee nade NO caus evs HE MONS 550s ca ean aw & 
BP OVATIONS Of WISIN vert snecuysutncasetectces ited ajcsuibe aac tase igen ema a te oan mentee eae RRR Sas Sea adiensene 9 

em SY STEN DESCRIPTION. 5, .c5700 cedes ts aed cocbeasts sasdoe seus ass 562 cee ee ee eee nee eae sat oe ca ene cene hs Ae OSB 11 
Hee COMPONICTUS 5s vsusacevexie soe ceoe ss oo aiaeslan ds Soa ikis i gnsneiwseeide cea ee POSE 10 
Bas KCORSIOUMALIONES voces oe anes en de sent cau deo esas vusedeeeces-+-5-02 0 ee eee ee PORE S062) ee ce is 
ON > IITECE COS Fook vce saves ote sunsGoviwec sPane stoves sive sive tncss cts eee aa ae ese <P concn eee vad 16 

ee CONFIGURATION FOR STUDY 6 csscdsoscccasesaacecscoveslavesssvochestuies «auc gemmaume iellanedetets \ereeesnaeiy tree ecen Sea 18 

Ul. OVERVIEW OF COMPUTER SC UR Va ae a aes oh ess 19 
A. FUNDAMENTAL SPCURITY CONCERT So ooiecccccsseassceeysovccss coececsses sacs perce eeenen a meee rere n nee octane. os ciamee 19 

er SCCURTE OD] CCLIV OS aks cece ces coun ev seneatvecesnasai is secs caedauntyesoetes ioe ee ais ea 20 
BD CUP mM Soto cc cvosuesutuaeisoses tact ae ceeseweguase< dias cide sae snwties EAT eee EE cao swear aes 21 
Soe ANCICREN CE MONMOR ONCOL sxactevsnwesteney cna tes voc cco l0saivoed sae oe ae mace ao ences Ze 
Be -ATUSIER COMPUNPIG DOSE wxhees ges c ons canbe sxcneceesieevoece oe ee eee ee ee Risen ea cece Ip} 

PN SECURIT YaINIODELS ory 5554 cusasstieceseccsrsosecencswipeecssnenesscc vapor eset ateeee ee mmennentte eae egnereeaweees «adda lecerrey + 26 
ems  (Oraham-Demnui Vogel seis oan acekacce sone eae gece eee 7 
eee Pell ANd LAPAQUIGIVIOGE] - cage. c:, <:isssessusderecareete see oT os cise eee 29 
SM CIEE CE VIO UE) aie ee ee ea age ds ca vs nd teGaons Santas gee ee RT eee Ten Ree or Sues 30 

ee DRUSTED COMPUMER'S vonEM EVALUATION CRITERIA (2). o2.5.coyectereets cscs ccc essse cc oe-caveceseseeids <osecn ese 52 
FEIT 1 1 S LCSW GE Cir enh gS omer ee et eee na anne ee ee de eee a cnt ca ts soe cn apaancresasassimeeee seo 52 
Zo fundamental Computer Securily: KREQUIreMeNlS, ..cccssc..ccccsecssct-se eter rete ere ee eee ee ons anaeee a9 
Map TT CTEM DURE II CL Vsa tare tec 2 ARO A seats seh pce sahie te Ae ea MROE ORY Ss vis vc <a sal Senn eet suanuen ncaa d 36 

IV. QUALITY OF RNA ME Rees eee ne tes we coo cok x cue sa cuceaGeeuascecaciecceeeneee 39 
OU AU ye OE IS eNO EEE RS PEC IE anit sess c.02..<¢ 14s vinecs eises soa leenss0senseeateereseeresevoesessunnsmaamussns races 39 

MT UTICULON GNIS etn cenccte ie a sa onsse + ate cat eeeeee co feade sansaee cs saaenesssotediec cau glOnantceeee ceeee a ate eee em 4] 
NE 111i 5 en. BIR Gee cscs sna ndsssonveredevedagoeeten se oseegsescsuasaastgensnanbe sbocsncessseeueeemees 42 
BUTI ROU CID UN rte eee occ. .coccc tee eochccanava annus sepcdanttsasna coesds se etetee Peed sks Maye Tse Mieke URE I sckes ee es eee 43 
Sam) TOIT ODES IN Reece oe enn d schoo ps sehen oe sadaccko tac cvabiewe vein osenaae xecevaeewenc seve dese shuges ate ee meee 43 


Vil 


Sass SSCOUPELY a crccen soot eens eee occas ae eek rhea as sila axtnln ns sila da dionn excuse at eee vs 

Ore LASC Of USC ...2ces ince eT Te eT Saas Cao <aeesaae «2 vasck eee 44 

Biol SECURITY SERVICE IMPACT errr etre etree cccateroe cede ce cee erase cea rete uae Sea coiiencsatte estas an 45 
CPR MANAGING THE IMIBACT eee ee oso corse ee eee ee nn ee 2 47 
Ve SECURITY PC ee occa kon ocs cca ce eee vnc c clei can ccasoieeen 49 
A. ACCESS CONTROIUPOIIGY CATEGORIES. oi ccnesedccssncncsccdesseeciceveoscucs ces tettbet cass cite toe ee ee 49 
on) TENT Dy OSC ae mrere teen ooo so avs os gee cease ddoeds<oicesden sanguioaedninea diecnnsn eokes eee Reet asia e ees ace ee 50 

2. LQDEI EB GSC le vo oka va duced vn da eui unde iRvcee cs ee ic a 50 

B. ENFORCEMENT MECHANISMS OF A DAC SECURITY POLICY ................cscececeeccccesecececcsceccscsccececccecs 50 
DG IRCBUIF ADICTS (225.0 c5 ss sacssessivesesdovaeesseddnes tea teenean§ © Gesantte eeMUMMNNRE fo 6 00 cnn eon eee cs a1 

2 aeebiscretionary Access Control MeChanisSms o.ceccc.cec.cteheeeteeecceseess+osccc2 cease Jl 

3. PAOCCCSSENIO GCS co o.oo date vos oalcnndh aeedaehue lees Ta i EE 54 

4, meG@ontrol Management Model s....cccBicsisssassnetetsssaseareesres feesecee oss. sce -28 eeeneeeee a JS 

5. ALN OGIN CHIT IGW. <5.cc5 Ce os Co I a Bie thw sha nek ck ee 56 

C. ENFORCEMENT MECHANISMS OF AMAC SECURITY POLICY ................ccececcecsececcecccccccccscececsccececces 57 
if HRC CIN CIN CNIS 0c os cavedcanactiecavaseaceeseeneeneenres ote outa tee Soe aera eR a3 ee ee ay 

2. ELD OIS eer hee. Senate ee nn. ee ee 58 

DME US SICC. SUO SECIS. cies redsee weer eese vou cnemineanes Coreen tetas es ale, Mindat tte tree ea rece etce rec cries cco a9. 

(Dhow MIULIPOLICY SECURITY. POLICY. coc5. eee eens es acc occ occ rhe doo see ee «on o0sconence. an 60 
i Viewing te Muli policy SVSUCIM . aocren.eecacnas ce sacsencccacseasasvasodescasises2es4 +12 mee ene =e 60 

DS LVIECHAMICS Of NIULEIDOLICI ES vcs csccere ates catia sean sconusseasebpiigsseshencrscaveeessr> 0 VRles MEUUERs sonoes tet ee 62 

3.) Polymorphic Securily POlCy TMPCON ONS 1.25 ocsc.c8-0.ccccno000ssascevassca slots tour ers -nnest ee 63 
Vi. INTERFACE ANALYSIS SHSHSSHSSHSHSHSHSEHHSSHSSHSHSSHSSHHSHSSHSHSSHSHSSHHSHSSHSSOHSSHSSSHSSHSHSSHSSHSHSSHSSSOSSOHESOSOOOOSOSCOSSOSCOS SS SSO 67 
em SE CURIE. S DAND POUNU foisccgace eer eee rae ee cs ed ae Seance tee tesa one seus dscdntavacevacateoncue aeesuie oe eee 67 
B. SMARTINETINTERPACE  ccics cccacccccee aoe a occ aco wGid nea sic ac eee eRe eo ce ee 69 
HME’ UL ON AVILCU OCS 5 oxazole cuentas ie ie Nana nS aU eaaERD oe ee tee STC on ng SRE <, SL a 70 

me MEISUNITIEP TITLE ACE sasciun Stan saute Meee aes Se Sa ese a A rate a celia eos SRR a ds ene oo 74 

SRMUEN A OLITLOM LCI I OCO aran cad ratad eee reentrant oa nnn nnn Oe 76 
CORENVULNERABILITY AND WEAKNESSES sc ccccccccecsaceconees ease esha ieee oe ened J1 
ME OTIMION: SCCUVILY PI ODICHIS a2. resees ree asics sete eee ee codec onan ee. OE cn comanesinncens ean Re LT. 

IE GILON SCCUPILY PIODICINS c.f cccar hcusse 4s sccdaa actos uditileveds shone as see <a 78 

Dp MRINEr SECUFILY PYODICINS) care, seve sccacc: cos covibdsicawastscesecaav¥s.+es Uuitel- 0. teen Cease 79 

dee ohIOnIOr SECUrity PrODICIMS sai. cicsxesstastecessetee Seseavswsv tind eee. sks 8] 

ID Pe RECONMMENDATIONS 05 scicacaveccsecdeyecdsvscescouceseQeeitines ses occtlty-cdu sh cseraetaueu ate MEINE. < en Ee eee ca ee $2 
VII. CONCLUSIONS OOOOH HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHEHHHHHHHHHH OOH OOECO 8§ 
A COGN TESTO S Becerra este Moa aie eo whic sO © Savaie ad LE RE Ss Seana oe 85 
B. “RECOMMENDATIONS «socec coos seal scunaccsessvdcseeveconaneunes ccsccc@eaee tect tenet canoe 86 
Co SUMMARY a oa cane c oa acs eile lnc ec cn evoke wc Wee etn SE ene 87 


INITIAL DISTRIBU TION LIST ooisscccscccceeccscs...ccccacscscocceosonsnse sas seeeeeeeeeeeeeemteetessases sees OS 


Vill 


Figure 1. 
Figure 2. 
Figure 3. 
Figure 4. 
Figure 5. 
Figure 6. 
Figure 7. 
Figure 8. 
Figure 9. 
Figure 10. 
Figure 11. 
Figure 12. 
Figure 13. 
Figure 14. 
Figure 15. 
Figure 16. 
Figure 17. 
Figure 18. 
Figure 19. 
Figure 20. 


Figure 21. 


LIST OF FIGURES 


Pott bl RMLeS ASI Cae NTiG Il COR UU teeta foi ras i035 sve se. saczeoissscovsnseeleeernoseneee 14 
Reference Monitor COme Site ct icces eee ccncc. ccc cece dscnssccccocncescovsrseessseoaesueees 23 
TiG EPA CHIC COU RE seen cao conc cvsseedenciessaessandusianeesores 26 
EO RCCH OMI 505 eee ene terre nO cee nee iieseccacsoe.ss.dssudsveunse eae: 28 
Accecome onal Wlattixes Meet cee recs ree eee AM iocceekisieeseasdesseenes 29 
Secutepiimosrinia ttn Fl Wass erates «2 cd bo a eee g tes ceo caaeades escort eae se okewaainvas 29 
WattiGes STRUCIUTES:. :2.;.cemeeree tse eens eRe ee oes n 2 31 
Companison of Evaluationi@ lasses = .....:.77-eeeeeee a. «cc oases oe 38 
Process:ot Oos Identiite@ationn......, tec ite thse as bec deseeeeaeyate. 40 
GlasSHications «:..<.sc,apeneemteee kee eee en ses xe sts enc 59 
COMParlMeONts ..s0.<0te eee ee eee eS, oa sicnconess daettonael a0 
Stricwure of SmartNet:s Interlaces.9.,- eee eee... 69 
72N 6) 8) [OEY To) ¢ a W102 ee ee ee 70 
Machines WindOw. ...c2:0ece-...y.ccs-ecsne eee eee me eee nes ites en 71 
ApplicationIMachines window ssi1.0.-- cscs eee eet ras ase eee secs nose ences 71 
OV EGniGES Wild Oy eee. eee th oe aN Moth oheci oe .-- sedan: 72 
SIC INCI Pe cee. ee TZ 
Editon yy imams © anal itlegne ete cesscncie fee c<ssccaeecexbicidcreteccures Ue 
ESCUTED Ee CaO IMA GL Ve ee ee shee ee a epee esc alsnsus ecdeelcebss arate 15 
mat) a EWE @) enV ATA CHOWN ees 0 ose Sea Saks dsc ne co ccdsa edddveas -seeeceeee sees eee WS 
IN Vern @ TaN LO NV Peer nes 1 eee odes oo2528256 A eo0besddeeincoes eevee ee ee 76 





LIST OF SYMBOLS, ACRONYMS, AND ABBREVIATIONS 


ACM 
CTCPEC 
DAC 
DARPA 
DoD 
EOT 
GUI 
I&A 
ITSEC 
MAC 
MSHN 
MSP 
NCAR 
NCCOSC 
NCSC 
NIH 
NRaD 
QoS 
RMS 
RVM 
SSF 
TCB 
TCSEC 
VHM 


Access Control Matrix 

Canadian Trusted Computer Product Evaluation Criteria 
Discretionary Access Control 

Defense Advanced Research Projects Agency 
Department of Defense 

Editor Object Types 

Graphical User Interface 

Identification and Authentication 

Information Technology Security Evaluation Criteria 
Mandatory Access Control 

Management System for Heterogeneous Networks 
Multipolicy Security Policy 

National Center for Atmospheric Research 

Naval Command and Control, Ocean Surveillance Center 
National Computer Security Center 

National Institutes of Health 

Naval Research and Development 

Quality of Service 

Resource Management Systems 

Reference Validation Mechanism 

Security Supporting Functions 

Trusted Computing Base 

Trusted Computer System Evaluation Criteria 
Virtual Heterogeneous Machine 


XI 


e——_— =a 


xii 





ACKNOWLEDGEMENT 


I would like to gratefully acknowledge the guidance, motivation, and wisdom 
provided by Cynthia Irvine, my thesis advisor. I would also like to extend my gratitude to 
my co-advisor, Taylor Kidd, for his valuable assistance and determination in helping me 
complete this project. Lastly I would like to recognize the loving patience, sacrifice, and 
constant devotion of my wife Lynn and my daughter Maggie. Without their support, this 
thesis and my studies could not have been completed. 


XII 





I. INTRODUCTION 


A. PURPOSE 


As computing resources diversify and data becomes distributed throughout the 
nation and the world, a growing common need exists: the ability to intelligently manage a 
distributed, heterogeneous computational network and its corresponding resources. A 
team of interdisciplinary experts funded by DARPA (Defense Advanced Research Projects 
Agency) is in the process of developing a scheduling framework termed MSHN! (a 
Management System for Heterogeneous Networks). MSHN’s primary function is to 
accept a sequence of jobs, and determine what jobs should be executed on which machines 
and when. MSHN will incorporate innovative approaches to scheduling and apply 
advanced job monitoring capabilities to achieve superior performance and meet Quality of 
Service (QoS) requirements. This distinguishes it from the more traditional Resource 
Management Systems (RMSs). 

One of the many issues being addressed as part of the design and prototyping of 
MSHN is security. This thesis provides a first step in understanding how security can be 
incorporated into MSHN. Fundamental security concepts applicable to MSHN are 
presented. Security policies in the context of heterogeneous systems are discussed. This 
work examines security vulnerabilities in the user interface of MSHN’s predecessor, and 


concludes with a discussion of the security weaknesses of MSHN’s architecture. 


' MSHN is pronounced “Mission” 


The results of this research are twofold. First, we furnish sufficient background on 
MSHN and how security objectives, principles, and policies may be applied. Also, we 
provide guidance as to where future studies should focus in order to permit MSHN to 


balance the enforcement of the security policy against satisfying other QoS obligations. 


B. | BACKGROUND 


MSHN is a program that is building upon the experiences of the SmartNet 
scheduling framework. SmartNet’s genesis was from a paper written in 1991 by Richard 
Freund, entitled “SuperC or Distributed Heterogeneous HPC” [Ref. 1]. This paper 
viewed the scheduling of multiple and independent compute intensive tasks as a linear 
programming problem. Later, Freund continued his initial work by forming a design and 
research team at the Naval Command and Control, Ocean Surveillance Center, Research, 
Development, Testing and Evaluation Division (NRaD), leading to the creation of 
SmartNet in 1993. SmartNet became operational in early 1994. Its team has consisted at 
times of upwards of 25 members, some doing research, others development, and still 
others product support. 

SmartNet has and is being used by many government agencies, including NIH 
(National Institutes of Health), DARPA, NCAR (National Center for Atmospheric 
Research), and the US Navy. Presently, SmartNet is known as a scheduling framework 
for managing tasks in heterogeneous environments. Initially designed for coordinating 
computationally bound HPC tasks, it has been expanded and generalized to operate in the 


more typical distributed environment generally in use today. 


Cc. SCOPE, LIMITATIONS, AND ASSUMPTIONS 


The security architecture, like the overall architecture of MSHN, is currently under 
development. The foundation for this thesis is based on the designers’ vision for MSHN’s 


architecture, capabilities, and usage. 


D. ORGANIZATION OF THESIS 


This section provides an overview of each chapter’s contents and purpose. 


1. Introduction 


Chapter I discusses the purpose, background, and scope of this thesis. 


Ze MSHN Profile 


Chapter II describes MSHN’s objectives. MSHN’s purpose, components, and 
configurations are explained in detail. The innovations and unique characteristics that 
MSHN embodies, through its predecessor SmartNet, are presented. The chapter 
concludes by outlining the configuration of MSHN that will be used for study throughout 
this thesis. 

3: Overview of Computer Security 

Chapter III provides a brief review of computer security as it is applicable to the 
analysis of MSHN. Fundamental security terms, concepts, and goals are introduced. The 
chapter addresses such topics as security objectives, security models, and security 
functions and mechanisms. The chapter will end with a discussion of the Trusted 
Computer System Evaluation Criteria, which provides a basis for gauging the confidence 


with which a security policy is correctly enforced by commercial products. This chapter 


will assist the reader in gaining a rudimentary understanding of computer security and 
build a basis for the subsequent security analysis of MSHN. 


4, Quality of Service 


Chapter IV explores the notion of Quality of Service (QoS). Its definition and 
quantification are examined. We explain how MSHN may support QoS requirements for 
applications taking advantage of MSHN’s resource management services. How security 
can be viewed as a service, how security requirements affect other services, and the 
implications of having multiple security policies will be discussed. 


a Security Policy and Interpretation for MSHN 


Chapter V discusses security policies that could be adopted by MSHN. 
Statements of intent with regard to the control of access to information and its 
dissemination are declared and expounded upon. This chapter is an essential step in 
transforming MSHN into a secure system. 


6. Interface Analysis 


Chapter VI analyzes the user interface of MSHN’s predecessor, SmartNet, from a 
security perspective. Vulnerabilities that may lead to the denial of service, the corruption 
of data and applications, and the unintended disclosure of sensitive information are 
exposed. This chapter provides guidance for the development of MSHN’s interface such 
that security relevant interface functions will be clearly separated from those other 


functions that are security neutral. 


7. Conclusions 


Chapter VII provides a summary of this research and gives recommendations for 


the direction of future research toward the incorporation of security into MSHN. 





Il. MSHN PROFILE 


This chapter provides an overview of the Management System for Heterogeneous 
Networks (MSHN). Although MSHN 1s still in the design phase of its development, it’s 
objective, requirements and basic architecture are well founded. For the ease of writing 
this portrait of MSHN, we will use the present tense. The majority of this chapter is based 
on several sources. These include the documentation for SmartNet [Refs. 2, and 3], the 
unpublished notes of one of the designers [Ref. 4], and discussions held at a MSHN 


Investigator Meeting [Ref. 5]. 


A. SETTING 
L; Purpose 


MSHN is a scheduling framework for managing jobs and resources in a 
heterogeneous computational environment. Given a set of jobs, MSHN determines where 
and when each job should execute in order to run a set of fabs while maximizing some 
performance criteria, such as executing them in the smallest possible amount of time. It 
achieves its superior performance through its comprehensive view of the virtual 
heterogeneous machine (VHM) and its intimate knowledge of the jobs being scheduled. 
“The VHM is the set of machines and resources MSHN is installed to operate with.” [Ref. 
4] MSHN’s view of the VHM encompasses not only resource loads and job progress, but 
resource capability and affinity as well. MSHN is able to use this view to determine and 


implement the best schedule satisfying the requirements of the jobs it executes. MSHN 


possesses user interfaces enabling the performance power of the heterogeneous 
environment to be harnessed. 


De Scheduling Framework 


MSHN is neither a scheduler nor a Resource Management System (RMS) but a 
more robust composition called a scheduling framework. The scheduler is a limited 
component of this greater system. Its only function is to decide where to run each job. It 
depends on other mechanisms to gather and provide the necessary information, and to 
implement the schedules it generates. An RMS incorporates a basic scheduler and, in 
addition, the ability to execute jobs and monitor their progress. It customarily applies a 
load balancing methodology for deciding where jobs should execute. A Scheduling 
Framework possesses the qualities of an RMS and a Scheduler but also contains a larger 
spectrum of functionality. 

The broad range of capabilities possessed by a Scheduling Framework 
distinguishes it from an RMS. MSHN offers many different scheduling and search 
strategies for managing resources and jobs. It provides an interface to the user for 
monitoring the state of the VHM and the jobs being executed on the VHM. It is able to 
learn by accumulating a history of performance data and can make intelligent decisions 
based upon on that history. MSHN also is able to deal with the uncertainty that is intrinsic 
in distributed environments. From a developer’s perspective, perhaps MSHN’s greatest 
asset is its modular design, which facilitates its ready adaptation to different operating 


environments. 


5 Innovations of MSHN 


The MSHN project is a departure from past approaches to distributed computing. 
The following six distinct innovations make MSHN unique and contribute to its increased 


performance, functionality and flexibility. These are: 


e its ability to recognize and exploit the heterogeneity present in modern 
distributed computing architectures, 


e its development and use of what are termed an application’s Compute 
Characteristics, 


e its ability to track and account for uncertainty, 
e its ability to account for the sharing of resources in a distributed environment, 
e its separation of the optimization criteria from the search engine, and 


e the methods it employs to search the scheduling space for a satisfactory 
solution to the optimization criteria. 


All computer architectures have different capabilities. A given architecture 
provides varying degrees of processing performance, data storage capacity, and data 
transmission ability. In addition, some architectures are better suited to handle particular 
types of applications than are others. “The MSHN team was aware of such performance 
differences and hypothesized that a distributed collection of machines with diverse 
architectures would be able to provide a collective performance equal to that of the best 
machine.” [Ref. 4] MSHN embodies this philosophy and is designed to leverage the 
heterogeneity inherent in different computer architectures. 

The runtimes of most computer jobs are not very predictable. “Runtime 


distributions typically have a very wide variance and are multi-modal in nature.” [Ref. 3] 


This unpredictability complicates and undermines the effort to optimally schedule a series 
of jobs. The MSHN development team recognizes this problem and is devising a scheme 
to address this challenge through the use of what are called Compute Characteristics. A 
job’s runtime distribution can be divided into pieces delineated by these Compute 
Characteristics. “Compute Characteristics are most easily defined in terms of deterministic 
jobs executing in a quiescent system with no wait.” [Ref. 3] 

“The distributed environment is inherently non-deterministic. Machines are 
operating asynchronously, sharing resources, and executing a host of different jobs 
simultaneously.” [Ref. 3] The developers of MSHN are able to account for this 
uncertainty and use their knowledge of it to increase the performance of MSHN. 

The sharing of resources, such as memory, the central processing unit, and disk 
space, 1s a fundamental concern in of distributed processing. MSHN builds on the 
previous research that has been done in these areas, and also is pioneering the allocation of 
other resources, in particular, the network-based resources. “The MSHN team initiated 
the generalization of this work to include other shared distributed resources such as file 
servers and memory.” [Ref. 3] 

The MSHN scheduler is designed modularly. This design allows the introduction 
of additional components, termed optimization engines, containing new optimization 
criteria so long as they satisfy the interface requirements of the scheduler. In addition, 
MSHN permits the development of sophisticated optimization criteria that can utilize the 
information available in the MSHN database. The MSHN database is large and contains 


data useful to a broad range of optimization strategies. 


10 


The MSHN scheduler not only contains multiple optimization criteria but also 
several search engines. “The search engine explores the solution space for a good 
schedule as defined by the criteria in the optimization engine.” [Ref. 3] The MSHN 
scheduler is also designed to allow the rapid development and integration of new search 
engines. The interface requirements for a search engine are subject to the same scheduler 
interface characteristics required of an optimization engine. Search engines in MSHN 


implement greedy, fast greedy, and evolutionary programming-based algorithms. 


B. SYSTEM DESCRIPTION 
i Components 


MSHN’s architecture is divided into four different modules (see Figure 1). These 
are the Scheduler, Database, Learning/Accounting Process, and Controller. The 
Scheduler’s function is to decide where and when jobs are to be executed, taking into 
account the types and availability of computational resources. The Database stores all the 
information required by MSHN to intelligently schedule and execute pending jobs. The 
Learning/Accounting process module allows MSHN to gather historical and statistical 
data for its scheduling and job management functions, and to track cost accounting data. 
The Controller is the main organizing process for MSHN, coordinating and implementing 
most of its internal activity and external interactions. 

The Scheduler module is the scheduling mechanism of MSHN. Its purpose is to 
schedule the submitted jobs such that the best possible performance is achieved. 


Performance is defined in terms of user and administrator QoS metrics and the relative 


1] 


weighting of these metrics. For example, a common administrator QoS metric is the time 
it takes to execute all the jobs in the queue. MSHN achieves its high level of performance 
by matching jobs with the machines and resources that are best suited to process that job. 
In addition to the above-mentioned QoS metrics, the Scheduler decides this suitability by 
also taking into account sequencing, concurrency, cost, machine and resource 
dependencies, and the state of the VHM. The Scheduler relies on the MSHN database to 
supply this required information. “In truth, the MSHN Scheduler is really a family of 
scheduling algorithms, each designed to optimize system performance based upon 
different optimization criteria and constraints.” [Ref. 4] The user can select which 
optimization and search engines to deploy or leave this decision to MSHN. This family of 
schedulers is not static. New optimization and search engines can be easily added and 
existing ones enhanced. 

The MSHN Database stores and provides information about the past, current, and 
(estimated) future state of the MSHN environment. It maintains a record of the progress 
of active jobs and the location of the data they require. It also maintains a historical 
record of the performance and system requirements of submitted jobs, AG the loads and 
states of all the resources available or in use, and of the global VHM. 

The Learning/Accounting process has two primary functions. The Accounting 
function records accounting information and costs associated with the jobs being managed 
by MSHN. The Learning function produces a wide variety of experiential data concerning 
the performance of jobs and resources. The Learning function is one of the primary 


components that enables MSHN to make intelligent decisions. Using a variety of 


12 


Statistical and filtering techniques, the Learning function can measure and provide the 
Scheduler and Controller with both directly and indirectly measurable statistical quantities. 

The Controller is the center of the MSHN Scheduling Framework. It is 
responsible for most of the initiation and control of MSHN’s actions and the overall 


management of its components. Its duties and functions are numerous. These include: 


e regulating interaction with the user via the interface, 

e requesting schedules, 

e recognizing scheduling and rescheduling events, 

e maintaining accurate predictions of resource and VHM loads, 
e updating state information in the MSHN database, 

e monitoring job progress, 

e maintaining the job queues, 

e making sure jobs don’t violate their cost limits, 

e initiating data movement, 

e executing, terminating, blocking, and migrating jobs, 

e adding and removing machines and resources from its VHM, and 


¢ communicating and maintaining consistency with other MSHN Frameworks in 
other domains. 


13 














Administrative 
Interface 


Execution 
Interface 










=| 
I 
( 






Sa oa el 


Ci 
So ’ 
ee , 
7 fo | 
; Co 
& 
174) 
>] ‘m 


Scheduler 





Controller 


a) 





’ 
* 


es ee ee a a | 


Learning 


Accounting 


| Other 
Machines | | copies of 
: , MSHN 





—-——---> 


Control Information Request Information Data Information 


Figure 1. MSHN Basic Architecture [Ref. 3]. 


14 


2: Configurations 


MSHN is designed to operate in one of three different configurations: as a stand- 
alone environment, as an RMS advisor, or as a coordinator of many RMSs. Depending 
upon the configuration used, MSHN will exhibit different behavioral characteristics, 
performance, and capability. For each configuration, different components of Figure 1 are 
implemented. 

MSHN can be configured to function as its own environment. In this 
configuration, it has explicit control over some of the resources and users of the VHM 
while having no direct control over others. It is able to accept job requests for execution, 
identify the correct machine and appropnate time for execution, ensure that data are 
routed properly, and finally execute the jobs. It has the means to directly interface with 
the machines and resources it controls, administer the users of MSHN, and monitor the 
state of the VHM. In this operational mode, the RMS box at the bottom of Figure 1 is left 
off. 

MSHN can also be configured to perform duties as an RMS advisor. In this role, 
the original scheduling engine of the RMS is replaced by MSHN. MSHN’s single purpose 
is to generate a recommended schedule of job execution. It accomplishes this by 
accepting from the RMS the lists of jobs to be executed, the VHM state information (i.e., 
the machines and resources available, and their current loads), and any dependency and 
constraint information with respect to both the jobs and resources. The RMS accepts the 
recommended schedule and uses it to coordinate its jobs. In this configuration, MSHN 


does not directly command the resources of the VHM. It is the RMS, which acts as the 


controlling agent. This use of MSHN prevents the RMS, and ultimately the user, from 
taking full advantage of the unique and effective features of MSHN. This is because the 
majority of the information MSHN requires to optimally schedule jobs is neither available 
nor tracked by current RMSs (e.g., past performance and resource architecture). In this 
configuration, the Execution and Administration interfaces of Figure 1 are omitted, their 
functionality being the responsibility of the RMS being advised, and all the boxes at the 
bottom of Figure 1 are left off except that entitled “RMS.” 

The third configuration of MSHN is as an RMS manager. In this form, MSHN 
takes on the role of a coordinator of multiple RMSs. As a coordinator, MSHN has the 
capability to migrate jobs from one RMS’s domain to that belonging to another, query an 
RMS on the status of its jobs, and redirect the results of those jobs. These actions 
enhance the overall performance of the collective RMSs. In this role) MSHN also 
maintains the ability to interact directly with the user. The user’s jobs are submitted 
directly to MSHN for later delegation to an RMS for execution. 

5: Interfaces 

There are two classes of MSHN interfaces. One is the internal class consisting of 
those designed to interface to the people who use MSHN. The other is the external 
interface that structures and regulates MSHN’s interaction with the resources and RMSs 
of the VHM. 

The internal class consists of two distinct human interfaces. One is termed the 
Execution Interface; the other, the Administration Interface. The Execution interface is 


provided for the typical user whose concerns focus on MSHN’s ability to accept and 


16 


execute his jobs. The Execution Interface possesses the functionality required for a user 


to: 


e submit an application to be executed, 

e provide any special instructions concerning It, 

e monitor the application’s progress, 

e display, direct, or save their application’s output, and 


e perform rudimentary control functions (e.g., to terminate or dequeue a job). 


The Administrative interface is provided for the MSHN administrator. The 
requirements of the administrator exceed those of a user. The capabilities provided by the 
Administrative interface allow the administrator to support the correct operation of 
MSHN. The Administrative interface possesses the functionality required to: 

¢ permit new job records to be placed into the Database, 

e permit existing job records in the Database to be updated/modified, 

e permit resources to be added/removed from the VHM, 

e monitor the VHM (..e., the load on the resources and the progress of jobs), 

e resolve scheduling conflicts, and 

e access MSHN’s replay, debugging, and diagnostic tools. 

The External interfaces of MSHN are used to interact with the resources of the 
VHM. Depending on the configuration of MSHN, the interfaces may also be used to 


regulate interactions with the compute facilities, and the corresponding machines at these 


17 


sites that MSHN controls; the RMSs that it advises; and the collection of RMSs MSHN 


manages. These interfaces reside with in the MSHN Controller. 


C; CONFIGURATION FOR STUDY 


The remainder of this study will be restricted to and focus on the stand-alone 
configuration of MSHN. Also, we will assume that the individual resources of the VHM 
will not individually possess multilevel security classifications and will also maintain their 


single security classification. 


18 


Ht, OVERVIEW OF COMPUTER SECURITY 


Before continuing, it is necessary to examine the issues that underlie computer 
security and their impact on MSHN. Computer security is a very complex and broad 
subject. Security concerns have been in existence since the birth of the computer age and 
have increased with the growth of the industry. It is not our objective to present an all- 
encompassing discussion of computer security in this section. However, this chapter is 
meant to assist the reader in gaining an appreciation for some of the fundamental 
principles of computer security, to introduce the essential terms and concepts, and to build 


a basis for a security analysis of MSHN. 


A. FUNDAMENTAL SECURITY CONCEPTS 


A simplistic but meaningful definition for Computer Security is embodied by the 
following quote from Practical Unix & Internet Security: “A computer is secure if you 
can depend on it and its software behaves as you expect.” [Ref. 6] While this supplies us 
with a conceptual handle on security, it relies heavily on the user’s interpretation of 
“depend” and “expect.” In the rest of this section, we will examine: 1) the fundamental 
security objectives, the requirements needed to achieve them and their articulation in what 
is termed a security policy; 2) the definition of a security policy; and 3) the functions and 
implementation mechanisms needed to meet security policy objectives. Because security 
policy enforcement is of critical importance in areas such as national defense, the ability to 
assure that the policy’s enforcement is both correct and continuous is closely tied to 


secure systems development. 


19 


1. Security Objectives 


The following section defines the three fundamental objectives of computer 
security, namely confidentiality, integrity, and availability. In many systems, one of these 
objectives may dominate; in others, they may all have equivalent levels of importance. It is 
the responsibility of the designer of a system to assess which of these objectives are critical 
to the user, to prioritize those objectives if necessary, and to make the appropriate design 
choices in the construction of the system. For each of these security objectives we 
provide an example in the context of the MSHN architecture. 

“Confidentiality (sometimes called secrecy) requires that the information in a 
computer system and transmitted information be accessible only for reading by authorized 
parties.” [Ref. 7] The regulation of the access to information by authorized users can be 
decided by other users and implemented as discretionary access controls, such as in Unix. 
This regulation can also be accomplished by imposing laws and regulations applied to the 
labeling of that information resulting in mandatory access controls, such as the rules 
governing classified information within the Department of Defense (DoD). Job 
characteristics that are stored in the MSHN database, such as a job’s past performance on 
specific machines, may be required to reflect the sensitivity of that job and should not be 
available to unauthorized users. Classified sites that contain resources available to MSHN 
should only be accessible by applications possessing the proper security clearance. 

“Integrity (sometimes called accuracy) requires that computer system assets and 
transmitted information may be modified only by authorized parties.” [Ref. 7] The 


integrity objective ensures that a system will maintain the continuing correctness of the 


20 


information stored in it. If the integrity of MSHN’s Learning/Accounting algorithms is 
not guaranteed, then unapproved alterations in the learning heuristics can cause erroneous 
updates in the MSHN database. This corrupted data will have a negative effect on the 
scheduling algorithms that rely on such data to properly schedule user applications. 
Another concern is the integrity of the system files used by MSHN. The accidental or 
malicious modification to these files, perhaps via a virus, would cause unwanted 
operational behavior to occur. 

“Availability requires that computer system assets are available to authorized 
parties when needed.” [Ref. 7] The intent of the availability objective is to insure that the 
system, meaning both its software and hardware, is able to guarantee that the information 
needed by its users is kept available to those users. A user of MSHN must have 
confidence in that he will not be denied authorized access to MSHN. He expects to be 
able to submit his jobs to be scheduled. The user must be confident that his jobs will be 
executed, that they will finish, and the results returned to him. 


Ze Security Policy 


A security policy is a statement of intent with regard to controlling the access to 
and the dissemination of information [Ref. 8]. Security policies can be grouped into two 
fundamental classes: Discretionary Access Control (DAC) policies, and Mandatory Access 
Control (MAC) policies. DAC controls a subject’s access to objects based on the identity 
of the subject. The controls are discretionary in the sense that a subject with certain 
access permissions (e.g., “control” access) 1s capable of passing permissions on to any 


other subject. For example, Matt and Lynn are engineers at an aerospace company and 


21 


are both authorized to see engineering documents. Matt may choose to give a project 
document to Lynn. Here Matt is exercising discretionary access control over an 
engineering document. MAC regulates access to objects based on immutable sensitivity 
labels associated with objects at the time of their creation and on the formal authorization 
(e.g., clearance) of each subject to access information of such sensitivity. [Ref. 9] To 
continue with the example, Jim works in the same company as Matt and Lynn but is in the 
marketing department. Engineers are forbidden to give technical documents to the 
marketing people. So, if Matt gives the same project document to Jim, he will violate the 
company’s mandatory policy and may be fired as a consequence. A more detailed 
discussion of security policy and how it relates to MSHN will be presented in Chapter V. 


5: Reference Monitor Concept 


The Reference Monitor Concept resulted from the Computer Security Technology 
Planning Study conducted in 1972 by James P. Anderson & Company [Ref. 10]. The 
Reference Monitor Concept provides an abstract ideal with which the actual operation of 
security mechanisms can be compared and judged. The Reference Monitor Concept 
provides a basis for addressing the multilevel sharing problem. No plausible alternative to 
it has been advanced to date. It is believed to represent a necessary and sufficient set of 
components for controlling access to information. “It scopes a technically coherent subset 
of the entire computer security problem space without trivializing the importance of 
addressing other security problems.” [Ref. 11] Figure 2 depicts the Reference Monitor 


Concept. 


oo 













Reference 
Validation 
Mechanism 


Subjects 





Authorization Current Access 


Database Authorization 
| Database 





Figure 2. Reference Monitor Concept. 


The Reference Monitor Concept is an abstraction that provides a high level 
methodology for controlling access to passive entities by active entities. The high level 
description of the Reference Monitor Concept is formalized in formal security policy 
models. Formal security policy models are mgorous logical models of security 
functionality through which the policy can be analyzed and the security aspect of system 
behavior proven. The Reference Monitor Concept provides a theoretical basis for the 
design and implementation of mechanisms for the enforcement of the security policy. 
Three design requirements that must be sought by any implementation of the Reference 
Monitor Concept are: isolation, completeness, and verifiability. Isolation refers to the 
requirement that the reference monitor must be tamperproof. This means that the 
reference validation mechanism (RVM) cannot be subject to an external attack which 


would modify its policy enforcement properties. Completeness dictates that the reference 


23 


monitor must always be invoked, viz. every access by every program for data must be 
mediated. This does not mean that mediation continues once access to an object 
containing data is granted. That would result in unacceptable performance degradation 
and is not required to correctly enforce the security policy. Verifiability means the 
reference monitor must be small enough to be amenable to analysis and tests to assure 
completeness. 

Two fundamental components of the Reference Monitor Concept are objects and 
subjects. Objects are passive entities that contain or receive information. Some examples 
of objects are files, directories, keyboards, video displays, printers, system clocks, memory 
segments, and network nodes. Subjects are active entities that cause information to flow 
among objects or change the system state. Subjects normally map to people, processes, 
and devices. The concept of a device as an active entity emerges from the fact that some 
devices that span multiple security levels must contain logic sufficient to correctly handle 
variously labeled information. 

The Reference Monitor Concept is realized in the imposition of a RVM between 
subjects and objects as shown in Figure 2. If a subject requires access o an object, then 
the subject invokes the RVM. The RVM accepts the request for access and consults the 
authorization database. The content of the database determines if access 1s granted. If 
granted, changes to the current access authorization database are made, and the audit trail 
reflects the transaction. 

The Reference Monitor Concept is an ideal, and will always be impossible to 


achieve in practice. No matter how rigorously security engineering techniques are applied 


24 


to the development of RVMs, or security kernels as they are alternatively called, 
imperfections in the software and hardware development process makes it impossible, 
from a practical point of view, to design a perfect RVM. Flaws and uncloseable covert 
timing channels may remain to allow unauthorized information flow. 


4. Trusted Computing Base 


To continue our discussion of the abstraction called the Reference Monitor 
Concept, we now introduce the idea of a Trusted Computing Base (TCB). It is necessary 
to discuss this concept because the Trusted Computer System Evaluation Criteria 
(TCSEC) uses this term in referring to a perimeter delineating the security relevant 
mechanisms used to enforce the security policy from non-security relevant mechanisms. 
Thus the TCB may be defined as the smallest isolated subset of the system that 
encompasses the functions of both the reference monitor implementation and required 
supporting functions (see Figure 3). The TCSEC defines the TCB as: 

The totality of protection mechanisms within a computer system - including 

hardware, firmware, and software - the combination of which is responsible 

for enforcing a security policy. A TCB consists of one or more 

components that together enforce a unified security policy over a product 

or system. The ability of a TCB to correctly enforce a security policy 

depends solely on the mechanisms within the TCB and on the correct input 

by the system administrative personnel of parameters (e.g., a user’s 

clearance) related to the security policy. [Ref 9] 

Many ideas proposed in the Reference Monitor Concept are reflected in the TCB. 


However, a TCB is quite different. First, the TCB includes additional security supporting 


functions (SSF) such as password maintenance, providing a security administrator 


25 


interface, and audit retrieval and analysis. Second, the TCB always refers to an automated 


system. Finally, a TCB is an implementation and not a high level abstraction. 


SED eT 
ESS SSS nad 


Securit TCB 
Kernel 





Figure 3. TCB Architecture. 


B. SECURITY MODELS 


A security model precisely defines the security policy, relating it to the overall 
behavior of the system. The primary purpose of a security model is to provide a precise 
mathematical description of a security policy in terms of system level operations designed 
to successfully implement the policy’s requirements [Ref. 12]. A sound security policy 
model should be precise and unambiguous, easy to comprehend, and deal only with 


security; it should not constrain the principle function of the system. This section outlines 


26 


three traditional security models. In a subsequent chapter we will discuss MSHN in the 
context of a more complex security policy. 

1. Graham-Denning Model 

The Graham-Denning model [Ref. 13] is a formal description of Protection Rules 
(see Figure 4) along with an Access Control Matrix (ACM) (see Figure 5), designed to 
enforce a discretionary security policy. These protection rules relate a set of subjects, a 


set of objects, and a set of access rights. There are eight Protection Rules. 


e Create an object. Governs the creation of an object. 
e Delete an object. Governs the deletion of an object by a subject. 
e Create a subject. Governs the creation of a subject. 
e Delete a subject. Governs the deletion of a subject by a subject. 


e Read access right. Governs the reading of a subject’s access nght to an 
object. 


e Delete access right. Governs the deletion of a subject’s access nght of an 
object. 


e Grant access right. Governs the granting of a subject’s access nght to an 
object to another subject. 


e Transfer access right. Governs the transferring of a subject’s access nghts of 
an object to another subject. 


The ACM (see Figure 5) is constructed with each row representing a subject and 
each column representing an object or a subject acting as an object. The model views all 
subjects as having this dual existence for the purpose of determining whether a subject can 
exercise control (e.g., delete, read access nights, delete access rights) over another subject. 


Subjects are also viewed as objects when, in fact, they exhibit the behavior of an object 


Ze 


(e.g., an executable program when being managed in memory). Each table cell contains 
the subject’s (row) access rights to the object (column) and reflects the current security 
status of the system. 

There are five primitive access nights: read, write, execute, control, and owner. 
Each object and subject in the ACM is assigned a distinct owner and controller, 
respectively. An owner is the subject that has the exclusive owner access right to an 
object, and a controller is the subject that has the exclusive control nght to a subject. The 
Protection Rules use the control and owner access rights to determine whether the actions 


listed in Figure 4 may be performed by a given subject. 


rns | Ea Sa 


‘Add Saieenn for O in ACM: 
Place owner in ACM x,O 
control in ACM[x,O 

Delete object O Owner in ACM[x,O] Delete column O 

Owner in ACM[x,O 
Owner in ACM[x,O ACM[S,O 


Grant access right R to S to O Owner in ACM[x,O Add R to ACM[S,O 


Transfer access right R or R* to | R* in ACM[x,O] Add R or R* to ACM[S, O] 
Sto O 


Note: x represents the subject requesting access right(s) 





















Delete subject S 


Figure 4. Protection Rules [Ref. 27]. 


28 


Aa 2 74 LAFF Mer ae g . ¥ Diy 
eeee tA CPAP AAPL SP Tae PRA ee, NAAAAA . . ee steeeeey eo 
AAR GEE COLLAR BLE SOPRA ROO Ft Ae be : 5 : $3222he ten 2 
m ag J gener Fee 75% : - Cig tnsoes teeeeenrere 
Bene we AOdR 2 PEE ar aeeseree nae eT eee ee perce 
YORE 19 Ggn ts © 5 "A CLP aL? 7 + *eAR ee 
+3 :2O2%7 2G Ree «4+ ‘ SSSA AG ITS S602.) 


PEPRPPP ESPADA APPL POPILIPPP CSR PEL LEO D 
DAPPAPPPILOPTCOD PPP POPP ES BAPLPP UE EE 
POPP SPPPPPP PAPE PPPPPPP OPE PLPOP AACE * 
POPPPPPPOEPALPPPP POLED PPP PPEPEOSE LE 
LO SPPPPPRPPPPCPPLOO PPL ALPE? EPLLP LLY 
BOP PROOORAAPPRED A MAE BSL LEIP PPL PPAL YA 
FOOPPSEPPP TOPOL AAD PER MCT POPPER IDLE 
PAPO OPRBAR BR PRET LNA A PAO SEO PILPL BE LE 
DAA oe Thc tases saee 
MOPPP POP PREP PAE FORE SAOPPPA LA * 
PTAC APP PPP TAR” a 
ae. SAPP CAN Bee oe 
APP PIPL PA OE SAPPLLPPRD 2 7, 
APPR OPPAL. Veta a eens © 
BP SAD ANE. 
PP PPPE PPD A hee 
POT IOA PARAL 
22 CP LPP PALES . 
LPL PLT APLOORE SERA POST PER OO Bis 
CPPEPPPPPPP PBA MOL ORPPPP PEP OPE LS. 
PAPAL SPLAGPA APY IA AE PPEOPPPALPPD LPP. 
CROP NEE NR ARIMEE LOO PPLO? 


SIP Pe SPP eesecoere * © 
Fe MY PEA RSTO SE Lear eeeeZ2edes® 
LAPCPPPPE PLS? SEPP FOPPP PRS AP 
COPPOPOPOPA EL * 
POPPER PAPE PLAS 
ssa ssseeseenee 
SOAR RAR CPPOOPEL PPP ELOPPPPLPP OPERA EAD 
tC PPSAPPLPL A APPLIED EP POP CPPPCPPD PCE EOE 
RAAB Pe PELE PLLA LSP APPA OL APD RA 
POLO SLOP COP PLP DPPPPEPOPPPPPLOLIOLD BLE 
tO PPPD OP PPP SPSLIR PD POIPO PPP PL CDPD LE 
ALP PP REE PPP PEPE IAPP PD POPSPPPPER SERPOE 
ROI AL OPPO RMPI A LILD POLE DPA DOLL ISL fe 
SP APPA PLPPL PLIES CPOCPPOPPPPPPPP EL PENPE 
te PSP PPP LOPE OLA POPPPLPPP POPP CD LIA ELD L 
PABA ED ATP PIPL? PALL OPP SAYA? POOPP PPLE” 
2 AAS A OR RAL AAP AOS CLACA TOR LANA DAE AL 
RAPED CRP POEL RACES POP POPELP OPP st 
A PPLSR APOE SAPEL EYL SOREPPO? PP 
AAPA e * ey 277% 


SPAR ASL LO RR 
A AA 
tba hi tee ds FA. 
ao 96966 oo ee 
AA Al PIPL 
PAPA PPE PIA EAEE A” PMMA PPAP OPA: 
APE MA BEEEPOFLE” SACP EEC AAP AEE 
APOPPOPPP ASMA IEP EP OPO PP EA MA LPL A 
POPAPP LEP PP PEEL IL MPA PEDOAR AP PEPD DOE 
AA PPPPPPPPEPE SY AIPPLLE CHPLPEPOEPEPL P 
AP SIP PPLP CPP PD OEP PPE PAL A AERA 
ACA POOEL PO APPPOA PPPOE OOEE BEF Fh. 
sepeacssenecmiatnasserccscsacesnee: 
a. APO PE ERS Aer 7. e 
if. BOBLERaODeo poo eee 
CPPPPPAPPAE 
A MPPOPPEPEREEPPPEPBENPPEMRAE MS Oe 
LOOPS POP PB PDP FEPEE POPP OPAP EL IPP PEFO EF s 


POPE EPRLP PER OAL L “POPE 
AORPL OAL EOP A PD 
ARI ot es Cle 





Figure 5. Access Control Matrix [Ref. 27]. 


E Bell and LaPadula Model 


The Bell-LaPadula model [Ref. 14] is an information flow model identifying 


allowable paths for information flow in a secure system (see Figure 6). This model was 
developed and published by D. Bell and L. LaPadula to specifically reflect military (DoD) 


security policy. 


High 
Write 
Write 
Read Read 


Sensitivity of 
Objects & Subjects 
Write 
Write 


Read ia Objects Subjects 


O LI 





Figure 6. Secure Information Flow. 


It models both mandatory and discretionary security policies. The model describes 
a set of subjects S and a set of objects O and a binary access class relational operator 
s. For example, if A < B, the access class of the left operand A is at the same level or 
lower than the access class of the right operand B. For every subject s in S, and object o 
in O there is a fixed access class C(s) and C(o). (C is a function that returns the access 
class of the subject or object.) For mandatory policy enforcement the model presents two 
properties that must be maintained. These two properties work conjunctively to prevent 


the disclosure of sensitive information and are defined as follows. 


e Simple Security Property. A subject s may have read access to an object o 


only if Cfo) < C(s). 


e *-Property (Confinement Property). A subject s with read access to an 
object o may have write access to an object p only if C(o) < C(p). 


3. Lattice Model 


The Lattice Model [Ref. 15] is also an information flow model, and is applicable to 
Mandatory Access Control security policies. Its umique characteristic is that it is 
represented using a mathematical structure called a lattice: a finite set of security classes 
and a flow relation, —, with least upper bound and greatest lower bound operators. The 
lattice properties (reflexivity, transitivity, and antisymmetry) permit concise formulations 
of the security requirements of different systems and facilitate the construction of 
mechanisms to enforce a security policy. In terms of processes, the lattice properties as 
described in A Guide to Understanding Security Modeling in Trusted Systems [Ref 12] 


are. 


30 


e Reflexivity. A process can access any information it possesses. That is, 
information can always flow from a process to itself. 


e Transitivity. If information can flow from process P1 to process P2 and can 
flow form P2 to P3, then information can flow form P1 to P3. 


e Antisymmetry. If information can flow from a process with label Li to a 
process L2, and conversely, then Li = Lz. 


“The model provides a unifying view of all systems that restrict information flow, 
enables classification of them according to security objectives, and suggests some new 
approaches.” [Ref. 15] In this model, each node on the lattice represents a particular 
security class that is derived from the system’s set of security classes. The security classes 
may be linearly ordered, nonhierarchically ordered, or a combination of both, as shown in 
the lattices of Figure 7. Information may only flow from one node to another if the 


following two conditions are met. 


e The sending node’s hierarchical component of the security class is less then or 
equal to the receiving node’s hierarchical component of the security class. 


e The sending node’s nonhierarchical component of the security class is a subset 
of the receiving node’s nonhierarchical component of the security class. 


w mee 


Sy 
tet 


Secret (S) 


t Lx] 


Unclass(U) 


& 


Linear Class Lattice Nonhierarchical Classes Lattice Combination Lattice 


Figure 7. Lattice Structures. 


31 


C. TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA 


In designing a secure system one must consider the security objectives described in 
the previous section. The question remains as to how to provide a high level confidence 
to an organization that their particular system does (or will) correctly enforce the 
organization’s security policy. Criteria are intended to provide guidance to system 
developers. They outline the minimal requirements that must be satisfied in order to 
achieve a particular level of confidence that the policy will be correctly enforced. There 
are several sets of criteria to choose from: the Trusted Computer System Evaluation 
Criteria (TCSEC) [Ref. 9], the Information Technology Security Evaluation Criteria 
(ITSEC) [Ref. 16], the Canadian Trusted Computer Product Evaluation Cniteria 
(CTCPEC) [Ref. 17], and the Federal Criteria/Common Cniteria [Ref 18]. In our analysis 
of MSHN, we will utilize the TCSEC. This section summarizes the requirements 
embodied in the TCSEC. 

1. History and Purpose 

In 1983 the National Computer Security Center published the DoD Trusted 
Computer System Evaluation Criteria, also called the “Orange Book” after the color of its 
cover. This document was reviewed and republished in 1985 as DoD standard 5200.28- 
STD. The National Computer Security Center (NCSC) was formed in January 1981 
under the management of the National Security Agency. Its mission was to expand on the 
work started by the DoD Computer Security Initiative of 1977. The NCSC based the 
TCSEC upon the evaluation material produced by the National Bureau of Standards and 


the MITRE Corporation. [Ref. 9] 


BZ 


The TCSEC not only provides a rating structure for security evaluation, but also 
defines many computer security concepts and provides guidelines for what functionality is 
necessary and sufficient for a trusted system. The official purpose as stated in the TCSEC 


is threefold: 


e To provide guidance to manufacturers as to what to incorporate in their 
systems to satisfy the trust requirements of a DoD evaluation, 


e To give users a yardstick with which to assess the degree of trust that can be 
placed in computer systems, and 


e To provide a common basis for specifying security requirements in 
acquisitions. 


The TCSEC accomplishes its objectives by defining four broad hierarchical 
divisions for describing the protection mechanisms that are provided in a given computer 
system. These divisions are: D (minimal security), C (discretionary protection), B 
(mandatory protection), and Recenned protection). These broad divisions are further 
subdivided to reflect varying degrees of security capabilities within each division. These 
subdivisions are explained later in this section. Each division is defined by the extent to 
which it meets the Fundamental Computer Security Requirements that follow. 


2. Fundamental Computer Security Requirements 


The Fundamental Computer Security Requirements of the TCSEC are six areas 
that delineate what it really means to call a computer secure from a DoD perspective. 
These requirements define what 1s needed to control access to information, and to obtain 


accountability and assurance in a trusted computer system. 


33 


a) Security Policy 

This requirement states that there must be an explicit and well-defined 
security policy enforced by the system. This policy is a set of rules used to determine 
whether a given subject can be permitted to gain access to a specific object. It also 
mandates that the security policy for systems handling sensitive information (e.g., 
classified messages) requires mandatory access controls as well as discretionary access 


controls. [Ref. 9] 


b) Marking 

This requirement states that access control labels must be associated with 
objects. Mandatory access control requires that every object be labeled with an identifier 
reflecting its level of sensitivity. Without such labels, mandatory access control cannot be 


implemented. [Ref. 9] 


c) Identification 


This requirement states that individual subjects must be identified before 
obtaining access to the system. Information access must be mediated on the basis of the 
identity and authorization of the subject requesting the access. Recall that a subject is 
defined as an active element that performs some security-relevant action in the system. In 
addition, it is required that the system provide for the protected safe storage of the 


identification and authorization information. [Ref. 9] 


34 


d) Accountability 


This requirement states that audit information must be selectively kept and 
protected so that actions affecting security can be traced to the responsible party. It 
introduces the concept of an audit log, the repository in which relevant events are 


recorded. This log must be protected from unauthorized modification and destruction. 


[Ref. 9] 


e) Assurance 


This requirement states that the computer system must contain 
hardware/software mechanisms that can be independently evaluated and provide sufficient 
confidence that the system enforces the previous four requirements. As the risk to 
information increases, the level of confidence in correct policy enforcement must increase. 
This will require the application of mgorous software engineering methods, minimization 
of trusted code, and the use of formal methods. [Ref. 9] Configuration management and 
trusted distribution are also factors that contribute to assurance in high confidence 


systems. 


dN Continuous Protection 


This requirement states that the trusted mechanisms that enforce these 
basic requirements must be continuously protected against tampering and/or unauthorized 
changes. It claims that no computer system can be considered truly secure if the 
mechanisms that enforce the security policy are themselves subject to corruption. This 


requirement states that continuous protection must be provided throughout the computer 


35 


system’s life cycle. [Ref. 9] It is a reflection of the “tamperproofness” explained in the 
Reference Monitor Concept. 


3. Criteria Summary 


As stated earlier, the Trusted Computer System Evaluation Criteria defines four 
broad hierarchical divisions for the protection of computer systems: D, C, B, and A. 
Division C and B are further decomposed into the following classes: C1, C2, B1, B2, and 
B3. Each division represents a major improvement in the overall confidence one can place 
in the system for the protection of sensitive information (see Figure 8). It is important to 
note that the criteria are cumulative in that each division of the criteria inherits the security 
requirements of the preceding lower levels. In the TCSEC, each criterion division is 
presented in detail and lists to what degree it supports the six fundamental security 


requirements. 


a) Division D: Minimal Protection 


Division D only contains the Class D. This division 1s reserved for all 
computer systems that have been evaluated but fail to meet the requirements for a higher 
evaluation class. Class D systems cannot be expected to provide any real security or even 


protect against human error. [Ref. 9] 


b) Division C: Discretionary Protection 


Division C contains Class Cl and Class C2. Systems in this division 
provide confidence to the organization that the Trusted Computing Base is enforcing a 


discretionary access control policy. Class Cl nominally satisfies discretionary security 


36 


requirements by separating users and data. Some credible controls capable of enforcing 
access limitations on an individual basis are incorporated. Class C2 enforces a more 
granular form of discretionary access control, making users accountable for their actions 
through login procedures, the auditing of security-relevant events, and the isolation of 


system resources. [Ref. 9] 


c) Division B: Mandatory Protection 


Division B contains Class B1, Class B2, and Class B3. Class B1 systems 
feature an informal statement of the security policy model, provide for data labeling, and 
require mandatory access control over named subjects and objects. Class B2 systems 
require the TCB to be based upon a clearly defined and documented formal security 
model, and requires that the enforcement of discretionary and mandatory access controls 
be extended to all subjects and objects. Additional software engineering requirements are 
introduced making this class relatively resistant to penetration [Ref. 9]. The final class in 
this division, Class B3, dictates that the TCB substantially implement the Reference 
Monitor Concept requirements. From a practical perspective, it is the minimization of the 
TCB that contributes most to assurance by reducing the complexity of the TCB, and the 


number of components that must be evaluated for correctness. [Ref. 9] 


d) Division A: Verified Protection 


Division A contains the Class Al. Class Al systems are functionally 
equivalent to B3 systems; however, the implementation of formal design specification and 


verification techniques is required. This results in a high degree of assurance that the TCB 


37 


is correctly implemented. Also, additional configuration management requirements, such 


as trusted distribution, are added into the criteria of this class. 








Trusted Computer System Evaluation Criteria 





ummary Chart 
C1 C2 Bl B2 B3 Al 


nA Ad 
SOAP PEEP AP ® 


a 
PLPEPPPP SL. 


ZEN AAS, 
POP RAED 
SODA ARAN eS 


RR AAAACT 
BON ASS LESLE. 


ea? e 
Bey se 
“477° "4. 









aetna? 





ate 
een 2 ees 
SP ATA IE 
MAR SPSS 









PRS 
SAPP PE PT A RAE. 

ASSOLE ARAL. 
IATA PDR I DD 











tet gee nage ales 


SCPE CE PAP OLELPP 


 AOOPPPLLP Ph P* 
Gre 77 


Paes 
hen BALL AAAS 
SAPO 2 ORE L oes 
FAS APDIP POE * AAP SAIFASPALLLD © 
POPPRPIL ED DAL "ALP PCPOCLIOELS BF 
“SOPPPPL A PPLIL Pe PTT OP . 






al No requirements for this class 
ES New or enhanced requirements for this class 


No additional requirements for this class 


Figure 8. Comparison of Evaluation Classes [Ref. 9]. 


IV. QUALITY OF SERVICE 


In the MSHN proposal document [Ref 19], the MSHN team has identified several 
“Problem Areas” that require detailed research and examination in order to make MSHN a 
success. These Problem Areas include such topics as: Exploiting Heterogeneity, 
Accounting for Non-determinism, Resource Sharing, Fault Tolerance, and Managing 
Quality of Service (QoS). Security is one of the primary QoS objectives to be provided by 
MSHN. As such, this chapter will explore how QoS 1s defined, what services make up the 
QoS domain, and how security impacts the other QoS services. The results of this 


analysis will later assist us in developing a security policy for MSHN. 


A. QUALITY OF SERVICE PERSPECTIVE 


QoS is a difficult concept to explain in definable terms. Webster’s dictionary 
defines Quality as degree or grade of excellence, and Service as an act of helpful activity. 
These lay definitions help us to gain a general understanding of the Quality of Service 
notion. Unfortunately, questions still remain. Who determines what helpful activities of a 
system are meaningful, and what metrics should be used in evaluating those activities? 
The user must ultimately decide the answers to these two questions. If the user is satisfied 
with the system, then the designers have done their job in ensuring that their system 
provides a high degree of Quality of Service. However, the word “satisfied” is an 
extremely vague term. A designer must somehow be able to identify those activities 
(services) that comprise the QoS domain, and devise some procedure to quantify the 


degree to which those services are supported. The following is a more logical 


39 


methodology for making the identification and measuring of such services tractable (see 
Figure 9). This approach is very similar to the Requirement Analysis phase of the System 


Engineering Process [Ref. 20]. 














Review Survey & 
Categorize Services 


Dimensions of ' 
the QoS domain | 


List of desired 
services/features 





Execution ; 
User ‘Administrator 


Identify/Classify 
the Users 





Figure 9. Process of QoS Identification. 


The first task is to identify and classify the users of the system. MSHN envisions 
having two general types of users, Execution Users, and Administrators. Execution Users 
will be the people who submit their applications to MSHN, and rely on MSHN to properly 
schedule and execute their jobs. Administrators will be responsible for ensuring that 
MSHN is properly configured and operating correctly. These two types of users clearly 


will have different objectives, reasons for using the system, expectations of performance 


40 


and capability, and interaction requirements. This leads us to the next phase of our 
methodology. 

The next task is to survey what each type of user expects from MSHN. This is the 
step where the user articulates what features, properties, and system characteristics are 
important to him. Of course the survey responses of the user will be very subjective and 
will differ on an individual basis, but it 1s essential to solicit these opinions. The users are 
the ones who define the properties required for each service. In MSHN, the Execution 
User may desire a simple and clear interface such as a Graphical User Interface (GUI), 
while the Administrator would prefer a powerful and efficient command line interface. 
This is an example of conflicting requirements that must be analyzed and resolved by the 
designers. Once the survey is complete, the designers must review the list of services. 

The last task is for the designers to examine this user-generated list of desired 
services to determine if, and to what extent, MSHN can supply these services. Although 
this list will contain specific descriptions of desired services, one may find that these 
services may be grouped into general categories or dimensions. Creation of a 
multidimensional classification system for services will assist the designers in having 
MSHN meet the needs of the users. The following is a list of dimensions that make up the 
QoS domain. It is certainly not an all-inclusive list but does contain those services that are 
common to most user requirements. 


jie Functionality 


Functionality is probably the most important service a system can provide. 


Functionality is what the system can do for the user. If the system provides only limited 


4] 


capability, or if what it can do 1s irrelevant to the user’s needs, then the system is useless. 
One could measure this Quality of Service by simply comparing the user’s requirements to 
what the system offers. MSHN definitely will provide the much-needed service of 
intelligently managing distributed heterogeneous computational and network resources. 
Its functionality will include the capability for users to be able to submit a job, monitor a 
job’s progress, input specifications and special information related to a job, display a job’s 
output, receive a job’s data, and terminate or dequeue a job. 


2: Timeliness 


Timeliness is a concern to almost all users. In today’s fast food society, the 
patience of the typical user is finite. The speed at which the system can process an 
application may be of paramount importance to the user. In a real time system, a delay in 
processing can cause catastrophic effects resulting in the loss of data, equipment and 
possibly even lives. Looking at the other end of the job spectrum (e.g., a simple word 
processor application), excessive processing time, when seen in the light of the more 
critical effects above, is merely an annoyance to the user. Besides viewing timeliness as a 
goal of QoS, it is also an economic issue. Time is a precious resource that can be 
quantified in monetary terms. Excessive processing time experienced by users can be 
detrimental to an organization’s operational budget and mission. MSHN’s principle goal 
is to effectively and efficiently schedule applications thereby meeting the QoS goals of its 


users (e.g., reducing the required time to execute a user’s jobs). 


42 


So. Throughput 


Throughput is a service that deals with quantity. The amount of information the 
system can process, display, transmit, and store determines the level of throughput a 
system provides. Some factors that affect throughput are the capacity of the system’s 
memory and secondary storage, the network channel bandwidth, the rating of the modem, 
and the system architecture. Throughput, in the context of MSHN, will also depend upon 
how many users can access MSHN simultaneously, how many resources will be at the 
user’s disposal, and the limitations MSHN imposes on user job submissions. 


4, Dependability 


A system is dependable if it is highly available, has a very small recovery time, is 
capable of providing uninterrupted services, and assures its users that it solves the 
intended problem. Dependability also implies that the system consistently achieves an 
expected level of performance. This QoS objective is often taken for granted. The user 
does not often recognize or appreciate this highly important service until it is absent. One 
of the ways to build dependability into a system is to concentrate on its fault tolerance. 
Fault tolerance is the ability to recover from hardware and software component failures 
without performing incorrect actions. This field of study incorporates many underlining 
issues such as halting failures, fail-stop failures, timing failures, and Byzantine failures 
[Ref. 21]. The MSHN project recognizes this critical area and has dedicated time and 


manpower to resolve problems associated with dependability and fault tolerance. 


43 


2. Security 


Security is the ability of the system to enforce a specific policy to protect data, 
services, and resources against misuse. This misuse may come from unauthorized users, 
malicious programs (e.g., viruses and Trojan Horses) or unintentional user/software 
errors. This service is highly coveted by systems that process sensitive, financial, and 
military information. Computer security is a diverse and complex subject and was 
discussed in greater detail in the previous chapter of this thesis. Because of MSHN’s 
potential military and commercial application, the designers are determined to incorporate 
security into its architecture. 


6. Ease of Use 


The last QoS element to be discussed is ease of use. If it is easy to use, the users 
will have a natural affinity for the system. Ease of use also results in increasing user 
productivity. Minimizing the time spent on unproductive user interaction with the system 
allows for more beneficial work to be done. In addition, the user is less apt to make 
mistakes (e.g., input erroneous data) when a simple, clear interface is supplied. A system 
that requires a knowledgeable and proficient user will restrict the number of people who 
can use that system. Implementing training programs, supplying reference material, and 
creating on-line tutorials can resolve this problem. However, these approaches can be 
costly and time consuming. MSHN’s predecessor, SmartNet, is intended for an expert 
user, but MSHN plans to expand its clientele. Because of this larger and more diverse 
anticipated user population, the MSHN project will pay particular attention to its interface 


and ease of use. 


44 


B. SECURITY SERVICE IMPACT 


It is imperative to realize that the services that comprise the QoS domain are not 
orthogonal. These services interact with and are influenced by each other. Compromises 
and trade-offs will take place in any system’s design. Introducing security into a system 
will definitely affect the other QoS elements that the system provides. The magnitude of 
that an impact depends on the types of security policies that must be enforced and the 
security mechanisms applied in the system. MSHN will not be an exception. Integrating 
security with other QoS requirements will certainly impact MSHN’s functionality, 
timeliness, throughput, dependability, and ease of use. 

Incorporating security will rescope the functionality of MSHN. MSHN will not be 
an open system. Restrictions will be placed on a user’s access to files, applications, 
features, and resources. Their accesses will be controlled by their security clearances and 
the permissions they possess. One of the most significant changes will be the user’s view 
of the virtual machine. Users will only be allowed to see those resources to which they are 
authorized to access. This view may be only a subset of the entire virtual machine. These 
changes to MSHN’s functionality will reflect the required security enhancements. 

Security will also cause a fundamental change in the timeliness and throughput 
provided by MSHN. Security will be considered an attribute of the application. The 
scheduler will have to be modified to select resources based on their security attributes in 
addition to their other attributes. One ramification is that a more ideal resource with 
respect to some other QoS attribute may not be selected for use due to the resource’s 


inability to meet the application’s security requirements. Another timeliness issue results 


45 


from the processing overhead of invoking the reference monitor. Every time a subject 
requests access to an object, the reference validation mechanism mediates the request. 
This will take time and may lead into a bottleneck situation. The exact cost of this 
additional time is difficult to evaluate. At the present stage of MSHN’s development, the 
subjects and objects of the system are yet to be defined. The granularity of the objects and 
subjects could be high or low. The final determination of this granularity would have a 
significant effect on the number of invocations of the reference monitor. 

Security will strengthen the dependability of MSHN. As stated earlier in this 
chapter, dependability is the stability and availability of the system. One of the reasons a 
system can become unstable is the corruption of critical operating system files. By 
restricting access to these files and implementing a program integrity security policy, the 
probability of this occurring is reduced [Ref. 22]. To ensure availability of the system, 
countermeasures can be put into place to guard against denial of service attacks. One 
such countermeasure would be to give MSHN the ability to limit a user’s utilization of the 
system. The length of a particular user eee might be bounded. Users might be given a 
quota on the number of applications that may be submitted to MSHN. A particular user 
application could be allotted a specified quota of time to run on a machine. User identity 
and the current system load could determine these time allotments. This apportionment 
will help ensure that MSHN and its corresponding resources continue to be available to all 
users. 

Working with a secure version of MSHN will change how the user interacts with 


MSHN. No longer will the user have unchecked access to the system and the system’s 


46 


resources. The user will have to become familiar with the added security mechanisms that 
MSHN will contain. These include an identification and authentication login process, the 
setting of session levels, and the stipulations of working with discretionary access 
controls. Much of this could be automated to preserve MSHN’s ease of use (e.g., by 
using smartcards, biometrics, or other easy-to-use authentication techniques). Operating 
in a multilevel security climate, the user will be subject to certain restrictions and 
limitations. For example, if the user wants to submit his application to a resource that is 
strictly dominated by the user’s session level, he must change his session level. This must 
be done to preserve the confidentiality of sensitive information. This may become 
burdensome if the system contains many security levels and is heavily compartmentalized. 
The user may have to change the session level frequently to accomplish his duties. Along 
with requiring new system behavior, security will also generate additional administrative 
duties. The configuration and maintenance of user accounts, the reviewing of audit trails, 
and the security training of users are but a few of the added responsibilities that a secure 


system requires. 


C. MANAGING THE IMPACT 


One of the greatest concerns of the designers of MSHN is the detrimental impact 
that the enforcement of a stringent security policy might have on MSHN’s ability to meet 
QoS requirements. This is a heightened concern during certain operating conditions when 
performance (i.e., the combination of timeliness and throughput) and resource accessibility 


are paramount. An example of this would be a military setting where the survivability of 


47 


forces depends on MSHN scheduling and executing a critical application in a timely 
manner. When operating within the constraints of an established security policy, MSHN 
may fail to meet this requirement. The most appropriate resource to process this critical 
application might be inaccessible due to an inadequate number of secure channels or to the 
unavailability of personnel cleared to access this resource. In such a scenario the 
information and resources of MSHN’s domain are protected but at the cost of lives. This 
is unacceptable. 

We may have to consider having a polymorphic security policy to cope with this 
situation. This polymorphic security policy would have the ability to modify itself based 
on the working environment in which the system is operating. Under certain conditions, 
where the transmission of information is more crucial than its protection, a lenient security 
policy could be instituted. When the focus shifts back to information protection, a more 
rigid security policy is reinstated. At the conceptual level, an alteration of the security 
policy (no matter of what magnitude) is really a replacement of one policy for another. 
Thus a polymorphic security policy is really nothing more than multiple serial polices that 
the system has to manage. The difficulties and implications of a multipolicy system are 


discussed in Chapter V. 


48 


vec SECURITY POLICIES 


A security policy contains the rules and procedures that will regulate how a 
system’s active entities, acting as surrogates for users, manage, protect, and distribute 
information. The formulation of a system’s security policy is the first step in building a 
secure system. For the proper design of MSHN it is critical that such a policy be formally 
stated. At the current time, no such policy exists. This chapter discusses two fundamental 
types of security policies that may be applied to MSHN, namely, DAC and MAC, as well 
as a flexible multipolicy based on these. For the first two policies, the chapter focuses on 
the identification and the infrastructure of enforcement mechanisms that may be applied to 
support these policies within MSHN. The chapter concludes with a discussion of a 
multipolicy security policy for MSHN, emphasizing such a policy’s characteristics, the 
related problem areas that apply to MSHN’s design with respect to implementing such a 
policy, and recommendations for resolution of these problems. This information will 
hopefully assist the designers in creating the appropriate security policy for MSHN and 


building effective mechanisms to support this policy. 


A. ACCESS CONTROL POLICY CATEGORIES 


Access control policies can be delineated into two fundamental types. They are 
termed identity-based policies and label-based policies. These two classes are separated 
and characterized by the methods and criteria they use to determine a subject’s access to 


objects. 


49 


Fs Identity Based 


Identity based policies permit or deny access based solely upon the identity of the 
subject. Another name for this class of policies is Discretionary Access Control (DAC) 
policies. In certain applications areas (e.g., government and military), this type of policy 
may be expanded to include additional access rules based on the “need to know” of the 
user. For other applications (e.g., commercial and academic computing) identity based 
controls are simply presented as a mechanism, available to serve whatever discretionary 
access control needs such users might have. 


2. Label Based 


Labeled-based policies emerge from the assignment of trust, in the form of 
clearances, to users and sensitivity levels to information. Within the computer system, 
subjects act as surrogates for users and objects are information containers. Each are 
assigned immutable access classes. Comparison of subject and object access classes 
permits the mediation of access nights by subjects to objects. This class of policies is also 
termed Mandatory Access Control (MAC) policies. Enforcement of a MAC security 
policy is required of those U.S. government systems that are used to process classified or 


other specially categorized sensitive information [Ref. 9]. 


B. ENFORCEMENT MECHANISMS OF A DAC SECURITY POLICY 


Discretionary security policies are so named because they apply discretionary 
access control mechanisms to control the access to information. They are probably the 


most common of enforcement policies. For example, they can be found in UNIX, 


50 


Microsoft NT, and Novell operating systems. To better understand discretionary security 
policies, it is necessary to examine the requirements, characteristics, and varying forms of 
discretionary access control mechanisms that support such policies. 


l. Requirements 


All implementations of DAC security policies share the ability and the supporting 
infrastructure to perform the following fundamental operations. It is important to note 
that satisfying this set of requirements is not sufficient even for obtaining a class Cl 
TCSEC evaluation. However, it is beneficial to identify a subset of “core requirements” 
so that we may better understand the mechanisms that support DAC security policies. 
The first fundamental operation is that access to objects is based upon user identity. 
Secondly, it must be possible for authorized users to grant and revoke authorization, via 
some means, to objects under their administrative control. Thirdly, it must be possible for 
programs acting for users to grant and revoke authorizations. Lastly, the system must 
support the creation and deletion of objects. The exact discretionary access control 
mechanism used to satisfy these four requirements depends on the techniques employed, 
the defined access types, and the control models implemented. [Ref. 11] 

2 Discretionary Access Control Mechanisms 

There are five commonly used mechanisms that support a DAC security policy. 
They are termed capabilities, profiles, access control lists (ACLs), protection bits, and 
passwords. This section provides an overview of each of these mechanisms and highlights 


some of the advantages and disadvantages of applying them to a system. 


5] 


The capabilities mechanism uses a protected identifier (the capability) that is 
assigned to both objects and subjects and used to determine access. A subject is only 
granted access to a particular object if it possesses the proper capability for that object. 
Two fundamental properties of the capabilities mechanism are that a capability can be 
passed from one subject to another, and that the capability may not be altered or 
fabricated without the mediation of the operating system TCB. Capabilities mechanisms 
are useful in enforcing the least privilege principle and providing dynamically changeable 
domains. The problem with the capabilities mechanism approach is that a passing of a 
capability is not recorded. It 1s difficult to assess who has access to what objects. [Ref. 
a 

The profiles mechanism associates with each user a list of protected objects. This 
list delineates what objects the user possesses and the type of access he has to those 
objects. There are several disadvantages to this mechanism. If the user has access to 
many protected objects, the profile list can become very big and difficult to manage. 
Creating, deleting, and changing the permitted access to protected objects requires many 
operations since multiple user profiles must be updated. As in the case for the capabilities 
mechanism, using a profiles mechanism complicates the ability of the system to determine 
who has access to an object. [Ref. 23] 

The ACLs mechanism takes an approach opposite to that used by the profiles and 
capabilities mechanisms. The ACL mechanism associates each protected object with a list 
of identities (e.g., users and groups). This list is referred to as the object’s ACL. The 


access modes allowed for each identity are kept in the ACL. An advantage of this type of 


a2 


mechanism is that the list need not be excessively long if groups are used. Groups are a 
way of grouping multiple users into a single list entry. All members of a group share the 
privileges of that group. The use of groups introduces the problem of conflicts between 
individual user access rights and group nghts. For example, a user may be granted only 
read access to an object but through group membership be given both read and write 
access to that object. This conflict must be resolved by a precedence schema to evaluate 
group and user access privileges in an ACL. [Ref. 23] 

The protection bits mechanism is a degenerate form of the ACL mechanism. This 
method uses protection bits associated with objects instead of a list of users who may 
access an object. An example of the use of this technique is found in the UNIX operating 
system. In UNIX, the protection bits are grouped into three fields: owner, group, and 
public. The fields contain the access rights respectively for the owner of the object, a 
group, and the public (1.e., all users of the system). Each field is further subdivided into 
three bits, namely read, write, and execute. The value of a given bit indicates the 
authorization for the associated access right. For example, if the read bit of the group 
field is set to 1, the members of the group have read access to the object. An advantage of 
this technique is that it is easy to implement and manage. The disadvantage is that it lacks 
ability to conveniently control the access to an object at the granularity of a single user. 
[Ref. 23] 

The password mechanism utilizes passwords to mediate access to each object with 
particular rights. A subject requesting access to the object must supply the correct 


password in order to gain access. The difficulties associated with this protection 


53 


mechanism are the daunting demand put upon the user to remember all the passwords, the 
requirement for the selection of strong passwords, the need for changing passwords often, 
and the ramifications of revoking a user’s access rights. [Ref. 23] 

3: Access Modes 

The access modes associated with an object specify what specific operations a 
subject can apply to that object. Numerous types of access modes are used by various 
discretionary access control mechanisms, but most can be found to be derivative of a few 
simplified access modes. The following are those basic access modes as described in A 


Guide to Understanding Discretionary Controls in Trusted Systems [Ref. 23]. 


e Read. This access mode allows an object to be read but not changed in any 
way. On most systems the read mode also allows the object to be copied. 


e Write. Subjects are allowed to modify, add, or delete the contents of an object 
in any manner but does not allow the user to view the object. 


e Write-Append. Subjects are allowed to expand an object but not allowed to 
change the previous contents of or view the object. 


e Execute. Subjects are allowed to run the object as an executable file. 
e Delete. Subjects are allowed to delete an object. 


e Null. No access permissions are granted. It 1s used to allow the exclusion of a 
particular user in an ACL. 


e Control. The subject is allowed to pass access permission for an object and to 
set the access modes to the object for other subjects. 


e Control with passing ability. This is identical to the “control” access mode 


with the exception that the holder can pass his control permission to other 
users. 


54 


Of the modes described above, read and write are fundamental. Other access 
modes are constructed using additional mechanisms and combinations of read and write 
access. 


4, Control Management Models 


How control permissions (control, and control with passing ability) are managed in 
a system further dictates how information is regulated. A system may take a lenient 
posture and allow all users to have control permissions. This results in a very dynamic 
system where access changes to objects occur frequently. Alternatively, a system may 
allow only one user to have control permission. This results in a fairly static environment 
where changes to access are centrally controlled. Typically, systems apply one of four 
control models. They are termed hierarchical, concept of ownership, laissez faire, and 
centralized. 

The hierarchical model implements a tree structure to manage control permissions. 
Objects are mapped to the nodes of a tree. If a subject has control permissions to an 
object at a particular node, it can control the access to objects located on all descendent 
nodes. The advantage of this model is that the mapping of users to the nodes can mimic 
the organizational structure of a large enterprise. Therefore, control can be placed at the 
most trusted and appropriate level. 

The concept of ownership model requires that only one user is the owner of an 
object, in most systems this being the creator of that object. The owner is the only one 
with control permissions to the object. He is not able to pass that control to any other 


user without transferring his ownership rights as well. This eliminates any confusion 


=> 


concerning who controls access to each object, but also places the burden on the owner to 
grant and revoke access to the object by other users. 

The laissez-faire model permits any user with “control with passing ability” 
permission to an object to exercise that right without interference from the system. This 
enables the user possessing such a right to pass that permission on to any other user he 
deems appropriate. This can result in an object having multiple controllers, each with the 
ability to modify its access rights. The major disadvantage of this model is that it is 
difficult to track the propagation of access rights because there are no constraints placed 
on the control of right passing. 

The centralized model is similar to the concept of ownership model with the 
exception that there is only one owner for all of the objects in the system. Normally, in 
most systems, the administrator is that user. No other user can possess control permission 
to any of the objects in the system because the “control with passing ability” access mode 
does not exist. The advantage of this model is its tight control of access permissions. 
However, like the concept of ownership model, a significant burden is place on the 
controlling user to satisfy requests for access to objects by the users of the system. 


a. Fundamental Flaw 


The fundamental flaw of a DAC security policy is that it is vulnerable to Trojan 
Horses. “A Trojan Horse is a computer program with an apparently or actually useful 
function that contains additional (hidden) functions that surreptitiously exploit the 
legitimate authorizations of the invoking process to the detriment of security or integrity.” 


[Ref. 24] A Trojan Horse may cause actions, including the transfer and modification of 


56 


data, that the user is unaware of and normally would not authorize. In most systems, 
programs that are executed by a user inherit all the nghts of that user. Because it is 
hidden from the user but possesses that user’s access rights, a Trojan Horse is able to 


exploit a DAC system. 


e ENFORCEMENT MECHANISMS OF A MAC SECURITY POLICY 


Mandatory security policies are so named because they are global and persistent. 
The majority of systems requiring MAC policy enforcement are U.S. Government 
systems. The data that are handled by systems using MAC mechanisms are generally 
sensitive. This data sensitivity generally results from the topic of the information or its 
source. To better understand mandatory security policies it is necessary to examine the 
principle requirements of MAC mechanisms, the labels they employ, and trusted subjects. 


1. Requirements 


The following are required features of MAC mechanisms. There exists a finite 
system of labels that are given to objects and subjects. The labels must not be modifiable 
by normal system users or by subjects operating on their behalf. There exists a relation, 
the dominance relation, that partially orders the labels. This partial ordering is described 
in the Lattice model [Ref.15] presented in Chapter III. The two fundamental access 
modes, read and write, are granted in accordance with the Simple Security Property and 
the Confinement Property. The Simple Security Property allows a subject to read an 


object only if the label of the subject dominates the label of the object. The Confinement 


D1 


property allows a subject to write to an object only if the label of the object dominates the 
subject. 


2. Labels 


Sensitivity labels are used to provide the identification of both system users and 
data stored within the system. “A user’s sensitivity label specifies the sensitivity level, or 
level of trust, associated with that user; it’s often called a clearance. A file’s sensitivity 
label specifies the level of trust that a user must have to be able to access that file” [Reef. 
25]. The sensitivity labels that are used by MAC policy enforcement mechanisms 
generally consist of two components. These components are classifications and 
compartments. 

The standard classifications traditionally used by the DoD military model represent 
a hierarchical relationship (see Figure 10), whereas the compartments used represent a 
non-hierarchical relationship (see Figure 11). The system of classifications is said to be 
hierarchical because the classification labels can be arranged in a linear sequence of 
increasing dominance. Compartments are considered to be a set. When a particular 
access class both hierarchically dominates and contains all of the compartments of another 
access class, it dominates that class. The labels on data, or objects, may consist of both a 
classification and a compartment category. The object’s sensitivity label must have a 
single classification component from one of the hierarchical classification categories. In 
addition to the classification component, the object’s sensitivity may have zero or more 


compartment components. In order for the user, or subject operating on his behalf, to be 


58 


granted access to an object, the user’s sensitivity label must dominate the object’s 


sensitivity label. 


Most Sensitive 


Content) 
__Gielsied 


Figure 10. Classifications. 










Least Sensitive 


NATO 
NOFORN 
PERSONAL FOR 
ETC. 


Not Relational 


Figure 11. Compartments. 


3. Trusted Subjects 

A trusted subject is a subject that is permitted by the system’s reference validation 
mechanism to violate the Confinement property. In basic terms, a subject is allowed to 
read information at a higher access class and write it to a lower class. Trusted subjects are 
internal to the Trusted Computing Base and used to perform necessary functions that 
would otherwise be prohibited. An example of one of these functions is the downgrading 


of information. 


ae 


D. MULIPOLICY SECURITY POLICY 


Multipolicy Security Policies (MSPs) coordinate the enforcement practices of 
multiple security policies when they coexist in the same system. They are metapolicies, 
meaning that they govern the implementation and interactions of policies. MSPs are 
responsible for determining a policy’s domain (i.e., what objects and subjects apply to 
each security policy), integrating one policy with another, and resolving conflicts between 
the various security policies. How MSPs can be viewed, how they work, and what are 
some of the special concerns associated with MSPs are the topic of this section. 

Potentially, the MSHN development team, driven by the purpose and QoS goals of 
MSHN, might be faced with the need to develop a MSP. MSHN will employ numerous 
resources that will be allocated to support the execution of user applications. If a resource 
has a security policy incompatible with that of MSHN’s, a MSP must be present in MSHN 
to allow that resource to be ewe The second catalyst for a MSHN MSP is the 
possibility, proposed at a MSHN Investigators meeting [Ref. 5], of MSHN having the 
ability to alter its security policy to improve performance. This security rheostat implies 
that MSHN will have to enforce several security policies at any given time. 


ie Viewing the Multipolicy system 


Multipolicy systems can be characterized in one of two ways. The first view is of 
multiple individual security policies working together in a predictable way independent of 
the state of the system. The other is of policies working together with predictable 


behavior dependent on the state of the system. 


60 


The first view may be thought of as a composition of policies resulting in one 
unifying traditional security policy. The reason to describe this unifying security policy as 
traditional is because of its consistent behavior. The set of rules for controlling the access 
and dissemination of information as defined by the unifying security policy is unalterable 
and is consistent throughout all states of the system. This immutability of the security 
policy is a prevalent, and more often required, attribute in traditional security policies. An 
example of this view is found in systems at TCSEC class B3 and higher. These systems 
enforce discretionary, mandatory, and supporting policies. Each policy has its own set of 
rules and security goals, but they work in harmony to achieve a consolidated and 
consistent security policy for the system they are protecting. 

We introduced the other view in the previous chapter, namely that of a 
polymorphic security policy. To review, a polymorphic security policy is one in which 
multiple individual security policies are enforced in concert. The system is able to manage 
these policies in such a manner that from the external perspective it appears as if there is 
only one security policy (i.e., a super policy) being enforced at a given time. This super 
policy may be a combination of the individual policies or it just may be the one security 
policy that is being enforced at that moment. This view differs from the unifying view in 
that this super policy may change during the course of the system’s operation. By 
changing the security policy and corresponding protection mechanisms, the behavior of 
the system has, in effect, been changed. The tranquility property associated with the label 


used to enforce traditional MAC security policies is no longer valid. A polymorphic 


61 


security policy suggests that we shift our way of thinking about the security policy 
objectives, requirements, and rules of operation. 

Both of these views may be applied to MSHN. The unifying security policy view 
describes how MSHN should operate with resources that follow different security policies. 
The polymorphic security policy view permits the implementation of a “security rheostat” 
mechanism into MSHN. 


2 Mechanics of Multipolicies 


Modeling the Multipolicy Machine [Ref. 26], by David Bell, illustrates a method 
of treating the difficulties associated with a system that supports multiple security policies. 
The notions of what he terms policy combination, policy conflict, conflict resolution, and 
policy precedence are discussed. These notions map very well to our two views of MSPs 
and are, in fact, the motivation for the conception of the two views. 

The majority of the concepts presented by Bell can be used to describe the 
workings of what we term our unifying security policy view. He describes a process for 
representing the multipolicy. This process uses a “policy combiner,” essentially a mapping 
function, to fuse all of the policies into a single policy (1.e., a unifying policy). This 
unifying policy associates every calculation (request for access) with a value (e.g., must, 
may, cannot). If there is a conflict (i.e., one policy allows a particular action while an 
other does not) between a security policy and the unifying policy, it is resolved by one of 
two methods. The first is the selection of another policy combiner that does not produce 


conflicts. The other is through the process of policy attenuation, where the policy in 


62 


conflict is asked if it can accept the decision of the unifying policy. If it cannot, another 
policy combiner is used and the process repeats itself until all conflicts are resolved. 

The idea of policy evolution raised by Bell can be applied to our polymorphic 
security policy view. He also does not view the swapping of one security policy for 
another as a complete procedural replacement. Instead, the system recognizes and 
enforces all of the security policies defined by the designers. How the system is able to 
interact with the multipolicies 1s governed by a concept he terms policy precedence. Each 
policy is associated with a precedence value. There are two distinct forms of the policy 
precedence concept, absolute-precedence and conflict precedence. Absolute precedence 
allows for a specified policy to dominate all others. The system recognizes the policy with 
the highest precedence and ignores all others. To the outside world, this gives the 
appearance that the system is a single policy machine. To change the security policy that 
the system is abiding by, one would change the precedence attributes of the various 
policies, maximizing the precedence of the desired security policy. The other form, 
conflict precedence, allows for the combing of the multiple security policies into one 
policy. If there is a conflict between policies, the policy with the higher precedence is 
favored. [Ref. 26] 


3. Polymorphic Security Policy Implications 


Policy evolution provides insight as to how to model a multipolicy system but it 
does not reveal the negative implications of changing the dominant security policy. 


Switching security policies may have a disastrous affect on the operation of a system. 


63 


This section discusses these issues and provides some recommendations to help mitigate 
the negative consequences of policy evolution. 

The security policy determines how information and computing resources are to be 
used. Change the security policy (and the applicable enforcement mechanism) and 
information flow may occur that was previously restricted. Sensitive information may be 
revealed, previously protected files may be modified, and system vulnerabilities may be 
exposed. These actions are allowed when a less restrictive security policy is dominant but 
become violations when a more confining security policy is reinstated. An important 
question is whether the reinstated more restrictive security policy concerns itself with the 
past access decisions of the previous governing security policy? This question is left to 
the designers of the system to answer. 

If the designers do decide to include a mechanism to correct the actions of the 
previous security policy, they will be faced with numerous difficulties. The foremost is 
that of trying to revoke access to, and possession of, information to which subjects may no 
longer be authorized to have access in accordance with the new security policy. Problems 
associated with this scenario include identifying such information, locating it, and effecting 
its recovery. A subject may have made several copies of the information and may have 
sent it around the world via the Internet. There is no way to provide complete assurance 
that all the information will be reclaimed. 

Another obstacle to switching the security policy deals with the access attributes of 
objects (e.g., permissions or labels) and how such attributes translate from one security 


policy to another. For example, if a DAC policy is enforced, objects are not marked with 


64 


a label indicating its sensitivity. If that policy is replaced with a MAC policy, how does 
MAC adjudicate access without the existence of such labels? 

To resolve these issues the following must be considered. Selection of the security 
policies must be carefully and methodically undertaken. One must fully comprehend the 
potential effects and ramifications of each policy. Maintaining an audit trail throughout all 
changes of policy is essential for determining what actions were taken. This information 
may prove to be invaluable and necessary in resuming a secure state. The protection of all 
the security mechanisms (e.g., auditing log, RVM, encryption devices, and trusted 
subjects) must be maintained with every change of policy. There must be assurance that 
the governing mechanisms are working properly and are not corrupted due to a policy 
change and consequent actions. Lastly, the object labels must be compatible for all of the 
security policies. This may result in having one standard label that 1s associated with each 


object and maintained throughout all security policy changes. 


65 





VI. INTERFACE ANALYSIS 


Interfaces are important, they reflect, facilitate, and mediate the functionality of the 
system. To most users, the interface is the system. The interface development process is 
an integral part of the system design process. This chapter analyzes the interface of 
SmartNet version 2.6. This study is not conducted from the customary usability viewpoint 
but instead from a security perspective. By taking this approach, we hope to gain insight 
about the security issues pertaining to a scheduling framework. This chapter begins with a 
discussion of the aspects of the interface we are examining and the basis of the 
examination. An abridged overview of SmartNet’s interface is provided followed by the 
identification of the security weaknesses and vulnerabilities of the interface. The chapter 
concludes with recommendations for resolving the exposed security liabilities. The lessons 


learned and suggestions noted will assist in the development of the MSHN interface(s). 


A. SECURITY STANDPOINT 


The approach of our study of the SmartNet interface will be from a security 
standpoint. This security perspective can best be illustrated by the security objectives 
described in Chapter III. These objectives insure the confidentiality, integrity, and 
availability of information. These objectives reflect the security of the system. Features 
that either support or conflict with these security properties are the focus of our attention. 

To discuss the confidentiality and integrity of SmartNet, we need to look at the 
SmartNet interface-allowable actions that result in a user gaining access to information, 


applications, and resources. It is important to note that these actions can be autonomously 


67 


caused by SmartNet as well as by the user interacting with the interface. An example of 
instigation of such an action is in the transmission of messages to the user about the states 
of currently running applications. This supply of information is not explicitly requested by 
the user but is sent automatically. Actions caused by the user include the activation of 
menus, the entering of data in dialogue boxes, and the opening of files. These actions, no 
matter how complex, can be reduced to some combination of two types of accesses, 
reading, and writing. Reading is the transfer of information from one entity to another, 
while writing is the modification of information. 

In support of insuring confidentiality and integrity objectives, we need to look at 
how SmartNet’s mechanisms assure the proper identification and authentication of its 
users and assure the certainty of transmissions. The form of the mechanisms, their 
strength (resistance to subversion), and, most importantly, the user-machine interface 
presented by these mechanisms are of interest to this study. In a network system, these 
mechanisms will involve cryptographic communication protocols for intercomputer 
security as well as those involved with internal computer security. 

In looking at availability, we need to determine those actions permitted by the 
interface that may result in a denial of service attack. Denial of service attacks may be 
caused directly by a user’s action, such as overloading SmartNet with numerous spurious 
jobs, or by less direct means that manifests themselves in a more covert fashion. An 
example of a less obvious attack is one in which a user corrupts the historical data that 


SmartNet collects resulting in a serious degradation in SmartNet’s performance. 


68 


B. SMARTNET INTERFACE 


The SmartNet interface consists of three primary Graphical User Interface (GUI) 
processes. They are the Editor, the Monitor, and the Runner. Each of the primary GUI 
processes has multiple “views” that the user can access (see Figure 12). Each view has its 
Own unique, purpose, appearance, and functionality. These views allow the user to 
interact with and manage the SmartNet environment. In SmartNet all users have the same 
privileges. SmartNet assumes that the user is knowledgeable about the local site’s 
machine and network characteristics visible from that site, and about the remote machines 
that can be accessed [Ref. 2]. This high level of user aptitude is required so that he may 
accurately enter the compute characteristics of his applications. SmartNet’s ability to 
perform effectively depends on the accuracy of this data. The user has access to all the 


functionality of all the interfaces. 
Editor Runner Monitor | 


Applications Machines §& | Applications/ [| Overrides | Sites ) 
Machines | . 


Figure 12. Structure of SmartNet’s Interfaces. 


69 


I: Editor Interface 


The Editor allows the user to interactively edit the SmartNet database, which 
contains information about the applications (user jobs), machines (potential resources), 
sites (location where machines reside), and networks from which SmartNet generates its 
schedules. The Editor provides the abilities to both query and send updates to the 
database. The Editor consists of five distinct views (see Figures 13 through 17). These 
are the Applications window, Machines window, ApplicationMachines window, Overrides 
window, and the Sites window. Each Editor window serves a specific purpose and 


provides the user with the supporting functionality listed in Figure 18. 


AS NASSEASAAADA SNAGANPRAARSSRSS NEN SSN SS ak nS 


s Oe Ne ae SO ne IE A RO HON ITSO NO Se SRI SRO RII TRIOS MK ING : RTOS 4 
E PALES AIA NY ROVI I ELREL NON NY ON RRR ARRIGO ARAGORN NAR OREN NRA Spee Fo 
Se fr y . | ere: BS SS REP aeea ENN . SAAS OLESEN ELIS SENSES OATS TORE EAD NEES OY Ee 
4 ek, EES eotAsesy Ps OSIO LRP DD DIST POOLE EEE END UND HRN NDS ws SOLES SE RCL AEC DUS CERO RETO RS COCO ST SESE SOS OR ESS i RIES SSS Be ee 
te say ni AED EMIS SBS S 8 PP NOS SOD MD RY SPE ENB . ~s —s A na = 7 = 7 
La ore Sg. gop aes ee Lela : me Pee. BUA: fs Pear, yy yy Jean Steet 7 ; carat 
‘ £ si : 55 oe pe Mee G BG SMEG LES OEE. peg tk ge. f aaa ; d 
. ee ee DOM GFA OE LG acl NE ee OO tal YB BE ae ee, oat es i : ie 


SPLICE SLE 
LOY ieee eae 


WUE L LY 


WAN 


AANS 


Lewes GEE RLGEEE Sie Yea engs gros 


PIE. SUUIREPI DIS RAG EL 2, PEEP EE ELILED SIRE EMEA LIL EID EEE IDES I Sees & rs rs ts bi SLA f | PIED E EL EL EIRP AP LOIS SIP LIRA TIES he Aas 


= 


EME 
. - i ee 


x 


Ge: 
DEE. 
CEG: yee 


NY 


ee la all ele eel z 


S 


40 


ES 


~ 
SPE 


: SS 
Ne 


< 
RRO 
SSNS 


x 
TN 
“ 


STS 
< 

SS 
Ne 


. 
RS 


ee. » 
Ss 
ERE 


=~ 
LOS 


LY eH oe Gi 
yy Gig Vo Up pee 
So ip 


ys a GGL % neni e sate 
Hie d 


SS 


SoS 


SNS SONNE te 


es iy gee 
y Mee ne ey GG ahd “agptny, Mody iphate bas dogh agit Se, 
MMe % vars AIM By RS 
UM EE ME, 
LOAKETEAAEALREIAA ELEM AARI EL ARSE SEALER ERT TEASE ALE, EAS SESS LIESA REGS SE* 


S 


ee piss Lp erie 
a : en . Sipe ghee : i ‘ gfe % iy ye, 5 y bay OUD % Lots, eens 5s 
Gite a * oheg, eee : Lae oe eens GLE STL LMU OIE NCL hol ieee. CLD te SARL sgt 
en ee Mahe AALAND EE ESO 
oe rat if a. pat = ne te “i nn _ oe, x - a me 2 * “ 4) : » ." re 
ILO LEM TE 
bene, Sats Ce Dean” nae fe Yori Sie 


QI SSM AER] be Hy pace IA. sh tates i 


we 


: 


%; 
ty, 


eet Lg Tie ss igs 
EUs ‘3 
Yes 
ee MG Let, 
ese ‘“: 


ESS 
SONY 
SN) 


SS 


pret SSS 
ROR Ns 


Hee sen 5 ye 
mo te 7 1s i tC £ ,, * y ; 55 Moe ee OA 
, %, G Z Re GODS Ae x eee aes i, ae seat, ee a Site oe eg , i Seo te 3 : 5 Wee SM 
‘e eh ‘4 iy oe 5 faa A he "opp NGS hogs Adega? 6 yyy e" “ ‘As ty hee hye ty 6 Se St, a 
Geta es staie eee Mle teeee g TOUR EEN Ls SURO RGEC ae Gee RAY ER COSA EMC tela aos 


Deh et a a ok 5b 2 2a 2 bd ialesd Dad babe baad dubia Dadisdoda De dade aba bade Dette Dadetn Daebn nda Data dads Sn Dato Seba orth de Dade detocba tao Dadaca Ph Data Da tocinSteta bn nbo Dante Dac Date Sade Shs Saab Sade Dan tes Doda Se Sachs Ds tate Datta bah on defen Dede nade Da deh ab dade eds dodo nb adh Sh dada idee bs boda nods da desde ebay nde a'h Sab te dete bab dae de> odode de) nds Dade bebe odode a hed eth aie, ta afin dad) 


Figure 13. Applications window. 





70 









































a Tg . : oD 0 =a eR ERR RS re caiich Yo) kes XS MURAD BAAS TATA OAD eae 
REESE SA NEPA SAAC NEVA SAG ANS SMEAR Ta EON ROG SIS IONE IID KOI A RAINE NGOS NEN 
Oe Se RE NES eS SO Ry SERRSS Say PEARS 
SS sobabta dau ssa beens peas Se a Eee etna Bcd beatae baa ae eo 
cer PY pe Ne Eg 










Wy Bit tes 
GUY ty 
7 ees Or OLE. GGL, GH . 


ue et poetry 
2 ee Gi Ge : 









os 


Dat 
vs “By 







Oday Se 
ens ne ate 


AA tos 



















































vita Fee 9, 
elegy Lee Boies 





pei arse ge: 
VIGO 







ie 
idle 












Borer re a ve 


000 COT ot PO gL LOTTI LO TOL GOTTA ELD 
Web Met Not CEE aie ey sal ps YoY i, 
MELE 


4. oe Le 






















































yyeee 


A tte. 

Ree Mi POU 

Ly ELIE 
LLL LAA 
SSSSSSIS: 
eee 





pu eh MMe 


63) 27 8» 


NPR EERO AE 


tis YD UMMM DEI 


‘Se, ae » it eee 9: 
a ss ni ¥ 
beets 





~ ‘ 
~ rh 
SAN FE ER Sg oS: Ae 
Te ent oc bi debdeia abbehknke ee eokene a ctaeadetdededetedsaiee Acilcd 






















PRN INN ee ASE ONES ENTS Ete 




























yaa Ylic 
EU ES me ye: 
























oe ee re ctay Sp ee 
“t x o eee i 


ZERO Wye) 
CBE; ie 


» 
- 
. 
, 


M2) Ie ee Bip Gots % : 
UY MME 
tuypyy yy Yi Z, 
4 ‘e) Lt, i ; 
Desrription 7777 77 Lp EM Yj 
Meegigiiet ye Abe oe ii. EUBicnGs a BY eae fe wags Ye es oy Me a y - LE ns LeU TE 
LLL LLL EEL LLL MAIL 


o 





Liye 


Weegee 


ft, 
ee 
SSAA 




































z 




































YOTEY fe: 
este: COMES if 































Ss. 





Ss 








































Zs 
4% , te 
Zs “Ys Lby y 










ee 

























nat 











ie ed pie 
¥ os 


ah LOA 
YY COG 


ney OY ites ee ey bs 





we fe, , ra 
Batis Bay 






































































































































a BEY re & $e: nz. ss i 4; i Z hss Lp pL lfey OGG it Boe: Wy pia ous , SY, es 
: Sine LIT) LIE , YY) LILI 


















fers 

Soeeege 
2 keg We es 
A ee 










maaan. 


CM ict 


















AN EN 


oe 
Ast 


LAGS 
CAS 
el 


es 
Liege 


POSES: 
Ne 






ia 
2) 












Loses 


Zs 
LEG is RPI POLLO OY 
LEU OE, 





RS 


oe 

























4 
Gig San 
ie x rotate’ ne 


Bone 
Migs 





















FN, PPD EEN IF MF DF IIIT INA P PLIES LISI IE LV SIDI RI IP PETITE PETE AY ENE 
NS PRE AEN te 


7 en ee 

mest eeeN: pst 
3 Ai ETA 
BE WY” 

“7 REN 





SA TAN WN ASRS SEN! 
OER 






























































5 Gel 4 
Sttyte! Lee S 
Aon 


oe 

hegtte 
oe 

tietenietitee 


oy Geli ge, Z, g Soere4 
MMMM 






’ ey loge 
Be GOI ES 
2 YELLE: 





se . 
SWING 
S SS 
SES SEN 
Se oS SESSA 
a a ak ta a Ae CD a ae at Be et lo a a a ll DA at el oe 


ney oxo Se: ASS 

Se De f 4, id fs 3 : : 

, Bote ve Eos 4 Yi 
VG 4 MI OL 











QL MEK 


Thee ate 





Yi 
A 










a 








et i 5K Rigas = 


igure 14. Machines window, 





= BS a eae a i a SS se = ee a ee 





























Vip D 





ee aj Oe Z sen ee Li " = o Day eee a) 
x Sa dh Aad Det th AP RR A Pit iat tn A tran ROAR aD are Att Lane Ra tat pe a te toa atta he ata A mata Pht Pa Ra eA aad bata eee dew Bn nen BD ta ent A hoe te onettn =e es 
PFA SAAR PRY SPD ee SOY SORRELL EAD OSE SOE ENR KNIT SIRI TES LN SOR Tt NO NO OT OE IIT On OLY RRR ENN RR NTE RN FENN BRS ELA SES IEG SoS ST ry 
Ney i fe% ey fe Eos BRS RRR ORS SE EEE OR RTE DRC CRESS TERESA OY nA 
3 - Oo a 
RS eae OS KEIR K REE EEER SRR SAO AS SRO SRL SECO AEROS REECE ERR AAMAS RACER EOE CERES RS SECU OERCET RECS EE ENO E ROSS ORAL ROOTES ESR ORAS ARE EOOE ST CROOSL OL GOH Seat pSa tS CRAOE RO RONS DOTA CSE RS OCR S SRLS OS Dar ya fas 
“ ng 44: 





Kee Le Go PGE GSE 
See ee 
ie 6 BEALE S 
Syoie 5 De ine ioe wt ty ts ee Z 4 Ge, 
Gi ous ie oy “ist, 
3 GEM 


MAY LEY 
Ey, 








Lape ay igi es pexiy ee GELLER 





eG 
a 2S 4 
TAR 


5 Sibel: , ees er ef ae teer. . , Ly 5 oy aes 2 van ep: SOS 
LLL EZ LE EOE 


! re re 











i Pane “* * . v fa, 2 re, ae ne 

5 a Sn : 4 ASS h aks HX AK 
tie dat gee Z ees PTAA: 7 4 ef a ee r 
fe Be a w POR eis 


zs, CL oy Lie pig Yrs: Be ie sg toe! 4 CoG LHS TOGS, 
YI EG BANS ee LY OE MEM A title 
7 “ ‘e a ew ben O77. = 





$55 tes 





ae & ¥ re 
Tlie LO Genie stosaceps angen 
iH MAMMA 


SLE A Eg le LG LAG GPE GEE ME Lg dig EE ELT Gat 





; es ‘ids 0 Lyla ey, year z , a TBE iy i as Oe YAY 
. Ate Po he oo ra’ aa L AE, 4 Aye Poy Od aa fal bys ead A, . 
WEEE Be HE Mis OTTO SE 
Lee C ached? Alec d PR ORE CBA TA he Lae Atlee Meee Biel SOAL LILLE LI DAA LaRE AE Ed, eg ap eile 








ms 





an 





7 Pete soe 3 i Mew 
PSOE O SOE od Soh gtgess ATRL 
Sie: LE SRE LL A MEEEU Up ive pies 
arenes ; 








eee 








We “ o ey OE AEDES ELE DEE DEG EEL Sy Bn. 
r A fos a Lee. oe, igs v 3 Lae aed, Ces Mey: OGRE SHEE 6654 onsen Z Ye AR AAAS EIEE, este: See 
pe eee EEE i LE ELL ER ee ee LLL LIE IEEE Hie 
Leet GE LEST E CL. pe hie ce . E opp ee tae tie. 8 OFM A AIA SOE SLIDE PDIP 
LG Ley saee Yoo Os ‘ es 7 i, 7 Cd oe i iv oe ee 3 ‘ oe ‘, . ESL 
Ge BE HOY TR ee KEE DOC LYLE MOLKN GER: Kper : 








ny Ze ae * 
momen GX. Bae Se FE BOR AEG LI Ry Rigen 
ISN = 4 5 ~ << 8 BNA DN od nS 
LEE OIG IE ABAD EEL MBL, . 
ae t gi 6 ros 5 O59 ve 
Ys 


fa te" 
ey sC 
PE LD 


Vax: 
LE Go. 
4 Le 














7 ses i 7 Ws a i 4 J 4a ye oo ae 
ae 4 7 , r Lee, oe 7. Ap CEE LE Ty eae 2 SLI EE Begs Tet EL Ny 
: : RS ; , : MOAI ss d ’ LAGE : SLO OOO SLEIIELE. F ESS, 
ae Manes vats: natin 2 a py of a 4% oe ee ares x 2 A Sap ehedgegpe- Megee rede pe Z v3 py ¢ 
Las COMET LST. ee ‘ f Se ‘ ne s = 
Gy IML oy : PMD ie: See » RE Ree SP ERP 0: 
DOLE LA a prae Gs dyson ~ >n9 : : 
SEE ESESOE: y DOC ea O Ny goat tek 4 ; 
OL SM MEAL AL OR Yy Ute eee 
AMM EE REDE Lose ei UMtinn. 


RAL PLEA LLL LAL OI ENS SCS EEE LE ALLELE! ISLES EE ARAL ALE SE 








SNe 





ies 


. 


Se TA 








YPrPy? YOX> PEP PYREPI>Y? YP? 
DRITET LE 














CLM Wed Wygge: CL eee ROE : 
ee fag. ‘ ey CELT Tie ONT B Fy 7 Lo tel CGE Bs lyst 
LEG es EYED Betsifee MLE EE VLE S, 
wencaesee I TT PSP IIIT IF ET ~ a ee ee mao ananassae perenne aes 








Figure 15. ApplicationMachines window. 


71 


BO EA CASS 
















pin hadith mth Maddie) ? ee ee 





SRN EP RATRORUR AS 





















< 
Ake 


PII ee ae 


Oe 





Zs 


“ey 


eA 


oy "yg 


Vie EU LY GU Mae 
Gis Ce itil ae 
S LL 


Bot 





iy 
¥ 
hice 





CLE. 
Ss rte 


LLG Ta ial 


Boies eer te ze 
Ok 





a ee feds 
pd, so sp ; 





tis 





4. 
oe: 


LI Ly 2 LO oy 


TRE HP NOTE OUD MOLEeY 


Ue * ? : a 
Les Compute Weight @ 70777) 
LOLs yyy YY MOLY ea SIEETIE: 
YIM I 

LY a y 

ihe y 











Aty Gui 
Chis 


RIAA 


WY, 


7 
og er 


ty, 





7 








mayy: 


yy 





5 
7: 
ey 


eee 
oe 
ee 





y oo EEG, Dacre A 
Ye oy Cipe a hey MBA 





RN 
~ 


< BEN 


i, 


PON RES olaeete 


GLEL LL 
OLA ALL MOLLE LEGS LE 





nee Bees * 
IF OTAATE. 
SRL 


ae 
lie ed 


MKS, 
o 





ft 





Pe mY Ge Ler 
PG LEI MU lbs 


He ee et treet ata natn nen natn en ne nn hence ached ath teehee em eh ether pacnei ech aed ae chedadh tne te he et elk Daten adh ete hat mamma ada adnan oataehatan meena adhe ecinedtin ee eaten al tas nin te ction toon adh oe da eens tients nett nah te 








Tae 


Ugg = 
Ue VES EES 
s ‘ = . a 


A Osan: es (Uy 4 a 
RMackhinew Zatce 


iy LG 


Fy 


GEM GG: 
4 Gp 7 


Figure 17. Sites window. 


az 


Be - 
AG SELLE MYTEL LE SST pi 





IPS, 
MSO GEE BE 
es Lpsuvipatpey aie 
sa és ws 
LEO 


BY GE ee 
BOGUT 
ye LD 












“ ae —_—— x a ae ee era earn = _— D 5 Se 1 Ad 
ONLY SO Ie Tey SP IIS NNO NOE OEE AA AEN INES BRENT ENED SET IDRIS ONO AITO I UAL 
Ree SR -off +E" dé i CP Worn SARE AARON SERRA RE RRR RAR Sa ahh EN Neh hah hh hhh a bh hk hl 
STEERER NE EILEEN GRRE AAO OSES 
7 ‘ - t uf ee 
oe 4 or 4 rf; zn Le Bis : = 


Adee. 
4 


, Taga Te, ; 
ie 


re 


iy 
La 


: 
A vo, 
CA UEGEETIES 





LEGO LLII 


LOMO TLL Ue Or 





Wy 
m : 


Fata 


SELEPL ED, 
Se 


Lee RM AMEE LIEBER TALLIED ML LL OTUs 
627 7 
e 


5 ILE ahi 
a of ae 

ae 

ae é 


rad ater sieht 
‘o 


SSE Me Eo teas BEN? 05. gles ol 

; REO ELE eR EAL 

Eee MOLARS GLEE 
A 


go. 


ag Le 








PGE ALI ES 


ray ae 
Piet: Ane ey 
a os 


oom Oye 


EE EE 


LE 


2 ee 





2 





SOEUEG 
o fe 
anes: SS: nce 2 
ig, an 
Ze 
os 
ps3 


trie, 


Yescd 





oe 
fee) 








Te Oe H Yh 
WILE 
4, t 3 Ylis 


Wy 


e Ye 
ey 
yy 


2 SRS 
yee Galeyy te 
Gage 

Gye 


o 
v4 
4 


Applications Purpose: Allows the user to describe applications to be scheduled and identify machines. 


Capabilities: 

e Add Applications Editor Object Type (EOT) 
Read the name of applications 

Enter application’s textual description 
Indicate idempotentcy of application 








Enter application’s Compute Characteristics 
Modify application’s Compute Characteristics 
Delete machine on which application can run 
Add machine on which application can run 


Purpose: Allows the user to specify the attributes of the machines to be schedules. 





Capabilities: 

e Add Machines EOT e Enter machine’s location within a site 
e Enter machine’s architecture description e Enter machine’s site location 

e Enter machine’s purchase price e Indicate fictitious or real machine 

* Read number of jobs scheduled or mmning ona machine © Read the name of machines 

e Read time until all jobs scheduled are completed 


e Enter machine’s textual description 

AppMach Purpose: Allows the user to view and edit the compute characteristics and experiential 

_____| data associated with the user application and machine combination to be scheduled. 

Capabilities: 

Add ApplicationMachine EOT e Enter DataUse Equations 

Read name of applications e Read name of machines 

Enter group name of application machine combination 

Read Mean value for computer and network experiential data records set 

Read Variance value for computer and network experiential data record set 

Read Weight value for computer and network experiential data record set 

Read Upper Bound value for computer and network experiential data record set 

Read Sum of Squares value for computer and network experiential data record set 

Read Compute Characteristics for computer and network experiential data record set 

Read Counter for computer and network experiential data record set 

Enter Computer Equations and Network Equations — 
Overrides | Purpose: Allows the user to set parameters for the user application to be scheduled. | 


Capabilities: 
e Read names of applications e Modify overall weighting of the compute information 


e Read names of machines e Modify overall weighting of the network information 
e Enter execution, network, and data use function of the ETC 
Purpose: Allows the user to describe a machine’s site characteristics 








Capabilities: 

e Add Sites EOT e Indicate fictitious or real machine 
e Enter site description e Enter latency 

e Enter site latitude and longitude e Read status of site 

e Add, delete machines at site e Enter bandwidth 


Figure 18. Editor Windows Capabilities. 


aS 


De Runner Interface 


The Runner permits the user to schedule and run jobs on a given VHM. It also has 
the capability to generate only a schedule (without executing it) for planning purposes. 
The Runner interface consists of two views, the SmartNet Users Guide [Ref. 2] terms 
these views as the Runner window (see Figure 19) and the “Job Info” window (see Figure 
20). The Runner window lets the user select the applications to be executed, specify the 
number of iterations each job will execute, select the machines that compose the VHM, 
and choose a scheduling algorithm. The “Job Info” window, which is a subwindow of the 
Runner window, allows the user to enter more specific information concerning all the 
applications. This information encompasses dependency, priority, compute characteristic 
values, and command line entries for each application. While operating in the Runner 


interface the user is able to access the Monitor interface. 


74 


: in kEs sks kankaceaakaand aa Sasane — 


a a me a ies ars " a we 3 = . a 
‘Sa Sn) 0 \ AC as ne hae TA . ht CuO 9 Ae a eo 
SR SR eS SEERA USE RRR RAE UR SNR SRT ENED fe 
rn SS ie Listes) RS SoS i i 5 RETR: SS Rasy PS behh bbs SSS SS he ti ad SSS uN SS aN Os oy - S54 5 

oes BEAT ERE RES NTS AEN ie Sey Rass pete pai s ii pi aS SS a Sh aed 


want IEE a * 
or Lge 
é er, 


4, 


a a 


Le 


AS 


Ss 
NEN 


2 


WW 


nate” 


o> 


a 
"Oe ta"e’ 
Ae E c & 
etn TE Pers . Y oe Be aed 
SLES Ge LLLP AT DSTO ET Wie %, Seg oes 
en Me AG LLNS Se UTTER ete ot ‘ 
WP B~ Mea ON LE tas ave 


AS: 


Ne 
xy 


oun 


oy 


| 

4 

t 

Pe {Upper (BRE-LU). LEI 
SIS ane aT SNS LALA OEE RL LTR IE CGE MEI DELI GEGGEGEE 

LEYTON ey Ss hg eA LS @Oes z, Ly 7 LL i Gy YUE MEE { ; 

Yi , ‘ Z tye 7 FS J D Be Y ti Zs nite 4 y My 2 LG ™“ | 

| 

f 

g 

| 


A SE Ges ¥ 


BLT Gee IS MOTT LE TOES 
fo 


Se ae a are ae a 


eo “Es 


es 


BEG 


FWD 


Mes daa 


Wea Mase 
YGhies 


ay 


: 0S 

, LOGY Ogg LU fete 

Gnas I Soir Z LUeeg 

Se: ites i SIRI LOL 
ef te Lec 


WENN 


Nrxekeddan ababiataamedetie 
ra ts ee: 


ss GcnteLastn 
ee: oe es Fae? . 
et SLE Kia NIM. 
OGL hele te 4 LA ret TAGS LL) 
eR SEES Giese ps i sng ‘3 “tip 
SLEGEMEY Le Z GIG, Le 5 ROY Ee 
PEPLLL Poa hy : . Cv. 
g tee tee “ys 7, or 
sai 


yee Bespin: 
MOS “As CUUYES. 
Cae Z 4. ULERY YY A,’ 
Legos ZY gence age s3 Bites age Y os 5 es tose. is Y, i OE, , 
LS oo Bile: PESO LEA ALLO YS CM yipagiites 


Peer eT are shun chan -ta hcl mente nest tes tices iotoglin chloe hem ten. ops Sh een plete ahah hd Mad these nak clade Anica nec ee eed ta Dinah aim in eainvineh dd eden mimic a dn oe eettnnd, Pea gtacta he necheh ed nce Peed ett natn nates, Sees natin ede vee van Se Dhol dined ceased Acetate aed hed eds aon eon ek ted me ead el eae dh tated eee 


Ficure 19. Runner window. 


So ee reasons eae Daan aaah aah a aa eae Sains Dae SAS nS eh WF aS Sh aoa th ah eta hah Senate se ah Bates a dah hae Seearics eh aivoah an Sc oes a 


ply ers ci a wk OR ERE RIEL I RRELTIRRSRRIIE EA IRCS HE ESRE" FRR IRE RIERA URE RENE ARR NRRL ERS ARERLG 
ESSN ONS SESS SOS NN OTTO PS TT TTT TTS 
BLISS SII IOV IL VOD Ma TS SPS Oe DS ae 


i ee et Sl BT Me re 





an 

‘ bt SR aR MS > han Re BBs LET 
. SSO ES OLS ES eh 

PIII IONIAN SV TESTU EE 


LILES MOTE Chee Se SOS COSORA ALTE PAL ERALEL LLL ; SAMA RIALLIS LALLA MACACA TET MRITL RLS ERED 

See rges: ess hs a A. MS SOMO SO STOO TS OCOOD ROD ODISOSS. CLE as OOS OOOO CESTIE EG i ™ PA BEAR AAA REDRESS AA IAD 
vt rf OF FLL IP LO PIP ALA LED PL PPL ELAR ee PPA PAP AILS, PAPL POLI MAP MAS, Pa f PARMA IPS PoE PPE PROPS AES EAE, 

I eb ARR Ta " eA 2. A SERA TT. oe. . 6 rte SGo eo, of SLES, +. peak LPP DOG ALIS 05 oo aus: 


Sass Agcarraaciye goo: 
CARP, LPPRILIDI EM BP PETLAE POPES, 5354252277. Yura) 2 
ae ee RISB SS toda Baereseceogog BEAR % 


BOPP Pl MLZ Poe ay 
% rAageseseetre BS -% 
PETES ’ rece" SR AORA Ce OLS Bled we 
“Dp x ole aoe , 2) = noes: we: ote e POF ON Le Gong gon 
serine aoee ire egy ae ‘A: 4 ) ae. PITA 
a - ef 2 ae tA, 4 ! ? A PRP ELPEPEPIRP DLE PE PL OPE APE EPP P e o CAAA, Pe, 7 4 PAPA, 

Bessenecnss Tac Tea ea OOO META SOTO OE TSES OCTET EE NITE AEC GIES Se eRe abi Gag oe 4 RAMLAtesOSeseLe Lee SEeAstchAsessZ cere Noes eect etree coiger eocsaccoee Mecsanteneceare 

Ae Leese e ee CoS eneneee: SoSES: S074 5 G cs a J a . eae foie ‘e'v 0 aaa a eo. 957. = o. 


we 
4 


e ae Sl Gon I oom RR a ney “A x ae 
2 a OAL, 3 $ i Ae BADD. nti PEF. 4 % A. bens Bacve Sere de 4 ae Aae. Penaey: LOB ra 
ag ADEN PAA a A * BIAS 2 PPLE SP, POPDPADIL ASAP EOLEIO RIOT Be 
eG e ns CPEPEOL ES. LILFPRPILLAILI PPL LS 
: At Ae, Pe LPLID STIS PLEAD LE. Nae rre. - SPEEA IS DEL IEPELED LOL ERPSELDO © 
. PLORD LILI LIAIP PLIST LILEI LES PELLEELPEALLES POEL IA LOGLLPOPLEPLICPLE LL D GOLORE AAP PEPPER OLIELPLIDISELELRPDEDL SPE. 
oe APPLES LL AG ELE OT LODIODOLELPLLLL ELE LILI PLLD ONDE LAL BETS DI OOPBL IPI DECOELPAAEALPID ILE LIPLEPLAS POOLS APPDLOPL PLP ORBLE LLG IDELILILI IE. 
“z o SE , Se $ Bed PPLE LL ELI BIS PAA PLE PED LILI DLLATISLLL ILE PSS ILI LEASE Bligh P LA SAPLPAPILIDL LEAL IL SP PLES LIPPLOLELPDELE LLLP Of PEIPLILINL DI RID OE PPD 2 oy 
Begin ee heer mee eI * ‘ IRIE ae PP AI SS IIIIF ES AA 6 . te fa ap rae 
ee OD pA Bee ee LIPLLOEPLEPIILILPLPLPSOP DL ISPD DEPI PERE DIDS, ¥ A SAE N es uy fp 
O50240 900088 Moose seh ee stae ec ears ee ce ct unec Ge mith CSAs ss teLeMUbOLLs OBtELEGSOtEes 2SCLECLOAL SOLE SREDSLLES SAB ACEASESULES NORA SLOAE DCA AL SIMUL ELLGLMLELCLS SRG AODL BRE CC AGELEL LCL EAEES ODES DG epanubetseseegeens teasmee css 3 
SLAPLIEPPPLP LID LRAPEIPIIIILEPL S LELPLLILEE. bean oh 4 tes vis she * Sia eceeese = Cee XIE, * PRONG I * EN OB? SP PB eS OO ae EAE SP? Pn Oe ott? PEL PP OLA L LIL ED IDO TIE ILE TS, ROTTIOz. 2 BERS ASE MPAA AAG ABD, 
PSPRPASALEPOPPILIIELI LAL PO PAPPOPLPLILE LL Le PLERERPOE TLD LIIE EL CIOEL 
CEBPFEEPLPLPLIVILOLED PPPITIIPLOLIEGEL SEL ILLES PIPLSS, 2 Oe IPI EN EP SIRAG o ABNP ED oe eo ed eran Pod XSL EE 7 LEP COP ee ee a Pf at, fo Bee ae oS, 
FPP AI ALA IA PLEPL IE LIPLEPPIL I GL ILLIA GLAD: LOAPT NSS 2 » CPOREPLET PLAT AMARA OL PP, eee SLPPPP OLD pT OC PLEO AL | PRD OOAP PATEL LARS A: Ain BAe 
ASPPELGLA EE IPLELPPPLE LAL CALL DAS OP OIE Ze SLOGPOPPPPED ALY Soa ne iJ CEO SOLER EPI IE ILE EI EELPLIL Pied. SARA AP Re Ser, TPAD OPA ER DTPA AMPED PLPALS. PPP LAS, 
: = FH 4 AA: ARO 20 N PELLEORLAPPLED ELS SD ILIIPEE ADDL é PPPS OPAL 
oo Fig® LESSOR PSILESEC PESTO ONE OD PLPEEGL LLL ETELEPOILS BEPELI POLE: 


eA 
om ee ¥ oe PU RYSYSS ULL M IY Ses ep es eeoe sen Pepe tuseee %5 4 2 BD IESSEES LoS 5ee0 ARLE? 
SOME RN A SR SOEUR OLE SOLE RL OLY ERGY Ve Te Ma eas 5h le, SR OO TH TEES 
= ow MAAS 7 Pe LES 2 ILLES: i LAI a mr oe me "s > panes AIP LIAI ESE AG G a ALIS ELE be OEE 
pe, 4 LS OLS STA Age LPPLEPLIIPLLPELIDE IP DPPOOPLEL EL ELI PLIELS POAIA SIOEPCIPI EEL EAS ees * oot Se ee SOLIOLIEDELDLELALPPNSLEPOLOPLEELPP LID EADEPIBLEDL IFS 0 PEGE 
7 POPE MA PEP EIT: ae Agee res tees e3 55 po yb bes NA as a! aoe Sacaces as een Sea ASS tee ese ess 
Soren f : On Ane e “2 tn the A a 7. vot ra ir “ » Se ane ~ 
SPASCPERPSES, SEALED. : : i ony oe " 
PEt ee % : 2 arias Pg A sare 2 ayo op ey Maes ers pled 'eade rips 
Be reee renee es o PALE. tah AP PLAL PARE AP MEF, Pera! PIES PPL ED A. BPO BLE A BF. he Cele rae tas eae ets. Sena PALER ELE RIL EEE oe SPER, PP NAPE S, PPA ALE PPPEEPD EE, 
ene am f RRR TAA SAV IE LP SPBPLIOPDP Dea ag eed. ¢: RS tana - 
‘ 2, are CLLPIPELECED B™ al eo a) 2 oe 
RUMI a cee corset aS Oe Se SY Ak OAS PRES 
ee Das - . 
diay 2 9e Y, ed 5 
 apgmec oe 
PALE PMPOTPPCEE. CFF. 
CALPELEPAOPERAOLPE BL, 
APPA PPALECPUBLEL IRIEL, ‘S 
PLEPPRIPR CPAP EOIALIPPCLS f CILEESOL OB IOOR SOLID PCO IED 
PPPOL PPO EAPL AERO MELE ~ 
PERO PL OEE PEEL, 
He PAAPE AL L ae 


AAP At PAE A a v F. 

044s APPA EPEPELPPPE Ae POPP AEE Ae A POCELIC PPE LIED EE 

PROPEL PPR PEREEPELOLPEEPRLE EF 7 oP a, 4 iw PPIA REPEL ED OEE PILED LE 
A PAPLILPEPEPAPLLAE PEELE OP of POLAT APP ESM, PPALEEL ALPE PSAP TOEPEPL IER. 

PEALAIPII ILD PE PCIEGIEPOLED IE ERTREPP BC LILE GCP ILOPIL ISS, PROPIEPIDFIEEPPPP. ere PIPEIPIL ST, 

POI OPDEEPIPAIOPIPLIOEOL ORDEAL IL EELIREEFEILIPEPAPEPAGPE 


ae 


seicesetetetnesynvennnserene sey rosiesryesre roageeys wen aeiee2o 
CL edna 4 CME ITS 


gppoor reaper oncom near, 
ULM hig ele 
PPP PLD F Sooo nen oe 


Vento 


xy 
eS hie Se 
SSANSS © 


3 
oo 
POPEROPP OE LAPP P 
PTS PLEO? 7 3 
7 PPAPEE: POPEPPIIIPIPIIPDIGS tp 


SENSE AN 


SSN 


and 
EEE EES, SALA Ee LALA Be PAAPOLPOI LEAL PLAID he SEEPE 
PPLERPPEELEAAELAL ELE AIDES EETLOFELOEDD ERLE POVEL LP EEA PELE 


: 


ALAA OLLI PD ULL EP Ret ey - alls 2 P rg ed Bie tae x Cena eee’ e - 
LAPS PEPE POL IBOE SG Pe ON ML ae “ 4, Reo gE EA NLP ELIPIIP AS EPP? ere, MPPP APPEL PL OP PP LPS. ne Mae L Fee cA CAPA OL PA Me Pee 
COLE PPPPPEPPEPEP LEP ERIEAPEALED A PIFPPEME PALES. e LAAPO LIS mA AA APR ETPIIEL OR AGIC LER PE LOG APN AA re PIP MA ALPLIPEP PERIL PEA. IEPA AE SE TS, ee BLP POMEL LIA A TPOPP PDP ELE APPL AA IAA PP OL PE POPD 
PPP EPEFOPEOPLLPPLMPRPLELEFEPERS EERIE EAD SD Be AAPL OOP Le a Ae 40) 4 Ai AERP PIPPCERLE CPL EE” SPAM AOL OLE ACEP MAE AS. PEPPLPRAI BB Boni” Be 
FECPPIAPE POPP PPIPFEED PE PIA TAG EE RILG OEE. BPA ea MPO OSPA PLO LS a Pa PALI PS Bar lA Pu PPP LEGRPP GALS. AA LOLS PP ELIPL PPL IG PLA LPO A we 
., SCOP R PERO III PEPE CAEL PS. PP PRAPE PS SESEE ROT LAT PILES PLO BPI OPLE TLLPPP AAP PLE CFE IPLEP ys 
SAP ROL, PO AERLAFPL EPPA TRELFLELAPLOEREDEAEEFEBELGAEPEPEPEPEPELPPAECERGG AL: 

OCPSLOLIPELAL IPI PEDPDPEPPLLEE OIE CEL EES 


PA MOMPPEPLL PDR CLP LIS L ILIA. AF, 
CLELIEGARPERDIEPIID CELE PERIL PL ELA LD GPEPELECUCLAD LTS 
% APPL POTPP LESCEAEEDLEETEREDLAPLELPBLPEE PEEP D IAG LG, 
LERIEL IED. a POPPE EE? 
PPP OPS. 2 
ane: 


WSTASSANS 
PETS 


2 

Agee bass: - ae oe 2 ae 

SAPO CEPS SPAT ISLS. se 2 2 LOIRE OIA ETP. PILES, Z PasPepeLasy. ree Roe, 

2 3 LOPE SII IED IOIL PSII LAP PERT, Oa, 2 2, PEER PLT PROD APR OPISIED SOP BLA PRATLSPELSL: et oe 
oe a) An ONS: PA AAS, AAA Ae 26! a Pee SPP M. A PLA LARA? APDIP PS F. Ne ae ihe oi APOE, e POP AP a PAPEL PA _“ , AeA Ls APO ae. tan 

Meare eres orc estat ag SOLE SeTCIC CRE ht MAM TOL TEES pperienceonas sctassccssesranenessoscestanacaen 3 

AOL GOLALL IIE P18 tee eae Abas. 2 POLS EADL ODL, edgetae . COLL VOAL COL ALTEAV ES GOLCOV ELD Gg sp na Nee led sees: PT PP AL oP. 


Ah $ 
reer CAEP PE PIP MNS AS, Pe PILE PEF. wf) 3 PLL EE. PEA PE Eee ee 
x ODP OT MPL IDL PS, ve Bs oer. 7 Si 2 Aree: serene B. For a AMPLE PE OLED, 
293 re a PIONS * Pees 2 ag RDS 7 ae ee. PIG LER MILE LP DATEL E LIP ODOR OLPOLEL OS Oot 
% en te FAP EA. LEP PI AE PPPOE AL ak PPLECLEDEE ES 4, A » ae LEPLPPLEEE. ie PPLAPE OL 
ca) “sr 4 PPP MPP PA 


SILO NDE LEL 
r Leet AAD 2ETPOACEOL EDS * CIPESE aamaniat LOPAP ELIF OPPEEI LG IS COPPA PAIL LERISD IP. 
BPPLAPTPL DIL OS OCOLE EPPA PD, A CAPRA ee i PRPPLODPPPIT PIR IGL CALLER OOP ORL EPP LEALL DPAPOL PLD % DOPOD RA Aeeed 
GOePPePEPLEL S POPPED SMP PP POEPOPOPIE ILE 7 aot PEPPISEL APA PEPPEPPSIL EEL LALIT EY PLL APEG PS LILI PDE , PPIPPIPEPIRIPPREPLDAP LILO SPLPCED POPE, 
PIDPOLPE RP POLPLPLEAPLIEIGAD ABE: CARER EAe 42 PE PPLLI PT ILLS VO LAPODELILECPLPLEG LEDS IRIS LED T POSED OL ANRC ORT OR CPF: Ae POOEEO POLES: 
CORSAGE es PP AEG LL CIPI LIDE: SPPPOPEPPPP AED. POP IAS Ah PEPIDPLII SLE PEPTSPET POPE IET LISS OP EEG E ERP AA, PO PIPLPNP DO EPE NP IELPPLPIDEPIODDOEDI GDR: 2. 
AIDES Meo AE OPR GPE PPEOBPEG PEL ED PL CLOEPERE ILIAD % EEG PIOEe. LOLPPILEREPELILEDPLPLPPLOSEP PT ASILILIL OL, EPA PALE: PPPPOLAPLILO DAL 
5 PREIIERE DIPOLE APFEALI PD PILED ACPA OPP ER, tA we Be * ~t ALRLIPAS IIL APLELEL OEP OL AE DELP EP PPPS. a 
PORIIA EAE 4 + Bee CPOE LEA Ss PAP PRED. LAPP PPP PLEPLIP IED AILS. 
Bene g ge aes wees ease acest png oy @ 2 2 PP PLP REPPLILIRISPL EID IAD S, APPR C IRAE OOPS, 
PILPEIR ODO LIDISICPSED IGA LAL IP OLEDL OLE LG ae 6 
Bests 52 Teneo ttt aon COs oes COCO OEE PERE CEE CO nee - 7 ae 2 tS Cares ZOOM $253) Soitebeabeesepepone spe pe RCO seOeere: o 4 7 ALIAS: PePb robe egoee Mt PeEelCoobEGee 
pean ee PPPALAPAPAD © OS PLSRLP EPS LOC P POSED IIE. 3 PAPAS, . , bg ? eee : 2b a, Pe eee se eee SLE E Aen eSS : PO PPEALA ED PE IDLA. eocgenycezesss7 234 724¢ 
sg . Aone: A 


ane Bike oo Gee tees, ree re v ae 7%. ae nd %, A SAEPPOLP PEL APD APL EAL AS, oa APES ARE. PROP LEIP LDA. 
eau a -. ae TPA A SPA PD Ce ° 


2 . Ad an se, AR eee PPLPPPSSE EEL 
Bes eR OE, APL» PP LAP APMIS, A * CAP EAS. - as: en CLA LOS BPO PEL. 2 
PEPCPRIA SOP EF LE eee 5 fee? 2 -, LEP ELLIS IARI APPLL AT OPI ELL PP LEP LELLL POD, SLPLLADL RE APPIISSPELIEBPLED PLE: 
*, 7 . SPALL S. . . as 7. 2 AFP a8, PPP ee PAPEL PEABO SALA ED, -, LAOS 2 


F SPIDER Por oe CAPPED. heat POLPPEL POP PPP PLOPL LPP LOOP. os 
POG gt POLPLLP IAS PIL ALIBCLPPIEPIPLE PELL I? ALOOSES PIEPLPEPELPEPLS AP PEPLI ELE SPIE PLPPSLR OPP PLES. ALPAA AS SELOAEPOAREL ALI PPDDLEPELEPP ELI LPPCBPOL IS De PRE AE LS! 
GDI PAOLO PPO O DODO PPE O POD PP EPC CED EIEEIOD i ; 4 SOPILLR EGE LLISEAPL AL PPP IPLPPLEG SLED IPS PELLOLPITPIPCPL POET PIER SED EAL LIE EPEDIPIOE, POPOL PA? Pht 
BOIS a Sooo SOOO TET O Oe. 4 7 fe C on wy sen + LPPPPSIPLPP IODA AD GO: ee LPB ALEMPIGEIPPBILPLLAP PLT EP PIL Free aA. 
ZLEbE54 23: ar 7 peace re PEL EE. ; PALES. PLESLILSPIT EL LIP LIPS: ne aere 
‘ 5 nero > PO REPE APP LL PELPLPEDINEOL APBD LPP PDP LOL F, POPE OPOI PI ORL F 
DOOGEE ard PELL OOD DOL ERPILIPL OP PLOD OOD PERLE PDPEPIPDILIBOTPI OP LG, 
7 2pe aT ED 7S ae PAPO PN POLED AERP PLEPPPELLELLEL OT PLAS 
APP EROT IEA ened. PRIPELEL IPE IEE S SILO PPLEP PPLE EL BP OPI 
LPPCLILIEOLPPPBEPLD EA LED PIPE PTEPOLLEPEEL POE. 
SPELLSIELLLEPPLELALGD IDEBPL PLEAD ADS OL POLE 
LLEOLIOR EPL PPRPPLIED LDP PPOLL PEP ALLIED 
Fo NOP Lane, a3 Pe 


ARIF LIOAP OLLIE IES 


Lip re bs 
eee 


oe, 
BLECPF EP 

PPE PE COE, 

PIPL LEI OE 2 APIS, - SELODA DA, PALL AL IS 2 AAP PEEP AT a 

AEREEPPRPIPRAL IP PLBLBSS. eer SEPA PLIPEILIPLIILISOEL PP ELGLL IBALL DE LILEL EPL LOPEEEPSIL PPP NEL PE. COP ESET. LOCLLIE SALA EPPEA, 

eee ee a PABLO OAL CPOEPPLLS PL ee Pane, LLL ERO BEI IOED IG EPRLEL OLS OSE, SPPPLAFPLPIL PDL IE PAPE APES. APPA LEPELILLPHEPPL AAAS, 
RAR AA AOC LIP eee “ PA LOP IGP EPL OO POL IOE AL IRILIPSOPIRPI PS & ae 2 LP DM 2 CECE AGC Os eC eee at, 
LEIP APILAP LISD BPEL PP , et aoe PP ARRAN AAAS LAL IPI APPL? 0 APPEL MLA D ORE RT AL OLD SGD IIOP ALT, - a 
ae, EPPPPPL PLES PESOPL OAT, at oi 2 “eagasszassere7 PALEE IDL PP OLLL OL 4 SIALLOLIISLIPLE TE Dod < aa AESPPPAAD APPL RIBS FE LE, 
CBFEPILI IL OALI SEPP LL - AP #, UPPER BAL ETT FILIP DL. : 22 PPAPLPPLIOPEALA, AOE AD. LOPLI ILE PELLII2 P 
2 ZALPATE. eee. POGAAL, SL IATEOPLOLED LP: PPLELIELILSTPTIEOLILED PPE PA. 2. A. 2) 
ZS S PPP LP OLA, ie AIe ee. . PPLLILOP LE LOLS. eh: 

BRP ET PI OLI OE POLE IDOLE, 
PPPLPLIOSPLIPLS IPP POEL EPG PD LEP D Ae 
EAP E AL PPADS 


ALDI PA ADL. Pe. ma 
AMAIPLE LOO L PPPPLELLEPLSIRO SED BLS. 
PLEP ADDS ELEELP. 


POSP LAL RLPS 
SLAZPPAEL EO 


> Beg Se 
. af LL PPPEP SAY a 
RDP e DID A Gear nG OPE aes 26e: oe eanred LPT OPL RAL LEED. Cen ege Pere RaE A 
SPIALIIRES. Pe APP APP AL Aba’ a te oe, bj . a fF *. eee A PPIIIELIPRIP AE 
PECEPLEEPEIOLL PL ODT OEP EPPRLPLL I PEELE PLPPEPPL ARLE. ACP g es? PPE P, on IB? t. FE: i. EF PROALPPPOPPIEPPERFE EPID PDA. 
SPAEPEPAERLOESAPEPALEPELLIOLE OPER LPRELEPREOEAPLELPEP LE? PIPER PAP LE PA. PELPERPOO LEP ED PAG, inh A A ee OPE PA OP AEAEAP AD 
PALES EM FPP SE. APEC EPA PLE, CPL FAAPEFPTELPEREEAE E EAPO S. PPORELEPPES EF PLEPEPO LASER IEEE ODA TAPP PS, ? MOPS MP MPPACE ASD 
A PhP OS AP At e. A oF *, % LA pees. PPE ALR TALIS ALP Oey tA ee 
OPIATES PLE. PLALES LPP IL. ee PELOLPOPPP AE PRD AAP PAPE A: ne. 
CE PPEDMEA LILI DI SOLE P ERIE sae sen 408. APAPO?: 20 = APEC BOLO GE PLP LIP LOOT LD Rete DOL OEE 
CL EK OTOL LEITLEMO LL ae, LLL eed hele OLEATE ELLOS AL SELL OLE MMOL OLLI LCSD PLU LLL MEDELITE 


SAL 
. 


me “3 


NNR AN SS 


PERCU O55) ie Vetere dalle Mae Ml cl ddim. CURL GY fe LE SRT ENTER AAI 
LIED O ASOT SSTOOFETICLOP EPCOT ON AOAC AFPPP ET. - BEATA AOA DS LEC BEER CTS CFEL AP ALE, NAST PES c~ ate ss 
am? ae eo Ay AA RIPPAEES A AAAA SAP Pe, AAPL? E. iA Pm SAPP A. APOE PALE 4. A. Pe. 


oe ae ane PRACL EL AY ¥ 2 eae ee a 3 PEORPLP PID OPS, 
PLO bs o- Pep POS 2 " OA EAE EE RRIILED 22 FOPEP TPES. fee = = ae eng PELLPTF PPS, PTE IIIEPIC IO LIED ES OL CDLE 
rE Eee eens: 22204: 2422 22 Saas is 2 2 Ae oe a ana r ALPRDLP Ao oF - $3247267 2 Bhar ences. 7 
ete ABEL er eae APA. vy) % © uP fe ~ + Ai 277 Th : POCEIPI OD TODO PLE F: 
" “23 Meee r Tn 2 
4 * 2 Leen POLE TAIT ASP PIPL E: 
; r 2. “7 POCAGPP IE. 
3 : PAPAS aay: 
. : sig ep hare be £ ; 3 Pos pete 
oe ! elas ; ft 
eels <2 ere = = 





Figure 20. “Job Info” window. 


ise Monitor Interface 


The Monitor presents the user with a real time look at the jobs that are currently 
running and scheduled to be run by SmartNet. It is strictly a passive interface. The user is 
not able to manipulate the state of SmartNet in any way. The Monitor consists of two 
views, the Monitor window (see Figure 21), and the “Task Info” window. The Monitor 
window displays, in bar graph form, all jobs currently scheduled and indicates the 
machines on which they are scheduled to run. Each bar represents a job. The jobs 
currently executing are distinguished from waiting jobs by a flashing bar. The “Task Info” 
window is activated from the main window by clicking a job’s bar. The “Task Info” 
window displays additional information pertaining to that job such as name, duration, start 


time, and status. 


Se anak - s 

Beh Ha eb Patent 
SATA Ae 
SESE ERLE 


1 i 
| . 


Ct 


a 
LET 

LUE Stays i 
RAD 


0" A le oa Ny 


oF a he Ee el aad 


net Sees 
SSE 


fs 

Chios tf, tsp ‘ s 2 ; 
Las 3 OSE ROS ea lgleiiecn ge (ath 
SERA LACE Te te ges POC L Sp rs oD 

ERLE OME DTE DIO BOs 


p Sa a Sali Del D3 Dd Det il Fa i itl Bin it Sale al Selle el Si Dats Dal Dall ala i Dalits Del Sale bile lt De Dell, Da ale ate De a Data ic ae bl Sad ee ah De Dd 


Sous ves 


Figure 21. Monitor window. 





76 


Cc VULNERABILITY AND WEAKNESSES 


Our examination of the security inadequacies of the SmartNet interface is 
organized by reviewing each of the three primary interfaces: the Editor, Runner, and the 
Monitor. Security problems common to all of the interfaces are noted as well as those 
distinct to a particular interface. Specific examples of features that expose SmartNet to 
potential security threats are highlighted and their consequences explained. 


i Common Security Problems 


There are several security weaknesses shared by all of the three primary interfaces. 
The first is that there is no identification and authentication procedure. Users are not 
required to uniquely identify themselves to SmartNet. As result, control over the access 
to information, either by discretionary or mandatory means, cannot be accomplished. 
Subject identity and associated rights must be established for the proper mediation of 
information access. Without this feature it is impossible to uphold any of the security 
policies and assign accountability to users for their actions. 

The second mutual security deficiency is the all-encompassing capability of any 
user to view the information pertaining to any job, and to manage all of the applications 
and resources of SmartNet. Jerome Saltzer and Michael Schroeder expostulate on the 
design principle of “least privilege.” [Ref. 27] This principle states that every program and 
user of the system should have the least set of privileges necessary to complete their job. 
The “least privilege” principle limits the damage that can result from human accident or 
program error. In a military setting, this principle can be compared to the security rule of 


“need-to-know.” 


77 


The third weakness is the absence of an audit trail. “An audit trail is a 
chronological record of system activities that is sufficient to enable the reconstruction, 
reviewing, and examination of the sequence of environments and activities surrounding or 
leading to an operation, a procedure, or an event in a transaction from its inception to final 
results.” [Ref. 28] So long as the audit mechanism is not subverted, the audit trail will 
allow a penetration of SmartNet to be detected and future penetrations deterred by 
revealing any misuse of the system. 

The final security weakness is that information transmitted via the network is not 
encrypted and therefore susceptible to interception. This could lead to replay attacks (the 
passive capture of a data unit and its subsequent retransmission), masquerade attacks 
(where one entity pretends to be another), and the modification of data. 


2s Editor Security Problems 


The overarching security problem with the Editor interface is that it allows the user 
to modify all aspects of all the applications and resources of the VHM. This user control 
of vital information governing the proper execution of applications is unchecked by 
SmartNet. The user is able to directly affect SmartNet’s ability to schedule by modifying 
information stored in the SmartNet database pertaining to jobs that may or may not belong 
to him. 

Specifically, the user can alter a number of application and resource parameters 
that will have adverse effects on the operation of SmartNet. The user can change the 
compute characteristics of an application in the Applications window causing SmartNet to 


improperly schedule the application. He may redirect transmissions (e.g., job execution 


78 


commands or job results) by changing the Internet address of the machine in the Machines 
window. He may create bogus applications, machines, and sites, in the Applications, 
Machines, and Sites windows, respectively, to confuse the other users of SmartNet. He 
may change the SmartNet server to site bandwidth settings in the Sites window causing 
SmartNet to miscalculate the impact of the network. He may input unrealistic values for 
the Compute and Network weight thereby altering the results of the SmartNet’s Estimated 
Time to Completion function. All of the above actions are not restricted to either 
SmartNet nor its users. 


3; Runner Security Problems 


The Runner interface restricts the user to only those operations relating to the 
execution of his jobs. However, the user does have the capability, via the interface, to 
indirectly affect the other users of SmartNet. The functionality of the Runner interface 
exposes SmartNet to three secs vulnerabilities: the denial of service, the corruption of 
historical data, and the exploitation of the resources of the VHM. 

The first security vulnerability of the Runner interface is that it allows a user to 
conduct a denial of service attack. A user may interrupt the operation of SmartNet by 
resetting the server. This is done by using the Schedule pull down menu on the Runner 
window and selecting Reset Server. This will cancel all of SmartNet’s currently running 
and scheduled jobs. This means that all jobs, including those of other users, are 
terminated. The user may also conduct a denial of service attack through a less overt 
method. This is achieved by submitting an unusually large number of jobs for execution. 


He may target an individual machine or a selected group of machines by selecting them as 


We, 


the execution platforms. This overloading of jobs will cause an excessive delay in the 
processing of other users’ jobs. 

Unlike the Editor, the Runner does not allow the user to modify the SmartNet 
database directly, but it is possible to do so indirectly. The SmartNet database contains a 
historical track record of the performance and needs of jobs. Each time a job 1s executed, 
SmartNet records runtime information. It uses that information in the future scheduling of 
that specific executable. A user could submit to SmartNet a series of a particular 
executable and provide bogus parameteric and characteristic information (i.e., compute 
characteristics and dependency information). This bogus information would result in poor 
performance for that job. SmartNet would incorporate this corrupt data into the collective 
job information contained in its database. This corruption of the job’s runtime will 
adversely affect what SmartNet sees as the characteristics of that job, and so, the ability of 
SmartNet to schedule that job. 

The last security weakness is that the Runner interface exposes resources to 
potential exploitation. Specifically, the “Job Info” window permits the user to enter 
commands that will be received at the resource tasked to execute that job. The purpose of 
this feature is to associate the application and its related parameters to the resource tasked 
to execute that application. This information is required for the execution of the job at the 
resource. The user could use this feature to enter in commands intended for harmful 


purposes. 


80 


4. Monitor Security Problems 


The Monitor’s interface function, to provide a real time overview of the VHM, 
poses two security problems. These problems are violations of the Simple Security 
Property (a property of the Bell and LaPadula security model discussed in Chapter III) and 
facilitation of inference. 

The Monitor interface allows a user to view the application names, start times, 
durations, job identifications, predicted times to finish, status, number of iterations, and 
the assigned machines. The Monitor interface also displays information about the 
machines running the applications, such as their machine name and network address. This 
information may be sensitive and therefore should only be available to users with the 
proper clearance and need to know. This ability for a user, in particular one without the 
proper clearance, to read sensitive information violates the Simple Security Property. A 
less overt manner in which information may be illegally passed between a high user, that 
is, One operating at a high security level (e.g., secret), and a low user, one operating at a 
low security level (e.g., unclassified), 1s through a prearranged signaling protocol. The 
high user may signal the low user by submitting a job to a specific machine. The number 
of jobs that are submitted to that machine, the time submitted, and the name of the job 
itself could all convey information to the low user. 

The last security problem is that the Monitor interface supports inference. 
Inference is “the occurrence when a user is able to deduce information to which they do 
not have privilege from information to which they do have privilege.” [Ref. 24] For 


example, a low user observes that SmartNet has tasked the machines at a military high 


8] 


security site with an extraordinary number of jobs. The low user may be able to deduce 
that the military is utilizing the resources managed by SmartNet to prepare for an 
impending conflict. The military’s order to maintain silence about the operation and 


preserve the element of surprise is subverted. 


D. RECOMMENDATIONS 


This sections outlines recommendations to counteract the previously noted 
security weaknesses in SmartNet’s interfaces and operation principles. The first three 
suggestions are required features of all systems rated Class C2 and higher in the TCSEC 
classifications [Ref. 9]. The last recommendation addresses the separation of user from 
system administrative capabilities in SmartNet’s interface. 

The first recommendation for a more secure SmartNet is the insertion of an 
Identification and Authentication (I&A) mechanism into the system and the interfaces. An 
I&A procedure involves the user establishing a communication path to SmartNet, 
identifying himself, and then supplying one or more authentication elements as proof of his 
identity. SmartNet, using the claimed identity and authentication elements as parameters, 
would then validate the supplied information against that contained in an authentication 
database (e.g., a password file). If satisfied with the verification process, SmartNet 
establishes the user’s session. SmartNet must also protect the I&A data. I&A data 
transmitted during a login session is vulnerable to interception (like most transmissions). 
Protection of this transmission could include physically securing the wires between the 


user and the I&A mechanism (not feasible for a configuration of SmartNet that includes 


82 


resources that are dispersed throughout the country) or applying a cryptographic protocol 
to the transmission. Implementation of an Identification and Authentication process will 
ensure that only authorized users have access to SmartNet. It will also facilitate the 
incorporation of the remaining recommendations. [Ref. 29] 

The second suggestion is the development and implementation of an Audit Trail 
mechanism. The audit trail will serve five primary functions. It will allow the review of 
patterns of access to individual objects, the discovery of repeated attempts to bypass the 
protection mechanisms, and the discovery of users assuming greater privileges (e.g., a user 
assuming the system administrator role). The audit trail will act as a deterrent against a 
perpetrator habitually attempting to bypass SmartNet’s protection mechanism and also 
improve SmartNet’s ability to control the damage if such attempts are successful. [Ref. 
28] 

The third recommendation is the enforcement of discretionary access controls. 
This will provide a measurable degree of information control within SmartNet. Further 
explanation of DACs and techniques for their implementation are provided in Chapter V. 

The last suggestion is to differentiate the user capabilities from the administrative 
capabilities. It 1s clear from this study that the average user (one who uses SmartNet to 
schedule his jobs) does not need all the capability that the current interface provides. 
However, the system administrator, as the one who ensures SmartNet operates correctly, 
does in fact need all of the current capability to carry out his responsibilities. 

To accomplish this separation the following process is recommended. Determine 


the minimum set of functionality that the user requires in order to submit, configure, and 


83 


execute his applications. Resolve those operations that conflict with the security 
principles, such as those noted in the previous section. This resolution may require one or 
all of the following: the elimination of some capabilities, the placement of constraints on 
the allowable input, or the implementation of some type of error checking procedure 
(either automatically or via human intervention). Next, those features that the user deems 
“nice to have” should be reviewed for possible inclusion into the user’s capability domain. 
Here, particular attention should be given to their security implications. A similar process 
is then conducted for the administrator’s capabilities. The conclusion of this process will 


result in two distinct interfaces, one for the user and one for the administrator. 


84 


Vil. CONCLUSIONS 


A. CONCLUSIONS 


MSHN is a program that is building upon the experience of SmartNet. SmartNet 
was designed and constructed as an open system. Its implicit security policy makes no 
distinction between users, and their access to information and resources is not constrained 
by the system. This simplified system development and maximized functionality, 
facilitating the creation of a high performance, flexible, and capable scheduling framework. 
The users of SmartNet enjoyed an all-encompassing ability to control and view the entire 
VHM. 

One may be led to believe that the lack of security in SmartNet 1s acceptable under 
certain operating environments. For example, in a controlled environment where the users 
are trusted to do the right thing, the information processed is not of a sensitive nature, and 
the connectivity 1s well-known and regulated, users accept the absence of security. Our 
discussion here indicates that these beliefs are unfounded. Infection by Trojan Horses and 
viruses, mistakes caused by users, or deliberately malicious activity can occur and 
adversely affect the ability of SmartNet to effectively schedule and execute user jobs. 
Security does more than protect the dissemination of information. Security ensures the 
proper operation of systems by providing those systems with an expected level of secrecy, 


integrity and availability. 


85 


B. RECOMMENDATIONS 


The following section presents recommendations and future directions for the 
incorporation of security into MSHN. 

The MSHN design team must first clearly identify the expected customer base and 
their intended use for MSHN. From an economic perspective, MSHN must satisfy the 
needs of the user in order to be commercially successful. It 1s user requirements that 
ultimately shape the design and functionality of the system. Specifically, it is their security 
policy requirements that will lead the design team in determining the degree to which 
MSHN will accomplish the three security objectives described in Chapter II, namely 
confidentiality, integrity, and availability. 

This leads to the next recommendation: that a security policy must be defined for 
MSHN. As Chapter IV states, it is critical to the proper design of MSHN to formally 
state the rules and procedures that will regulate how MSHN manages, protects, and 
disseminates information. The articulation of a policy is the first step in building a secure 
system. It will characterize the behavior, capability, and the trust of the system. It is 
counterproductive to proceed with the application of security mechanisms without this 
vital governing statement of intent. 

Independent of the type of security policy applied to MSHN, it is sound practice to 
incorporate into MSHN’s functionality the ability to identify and authenticate users, and 
the ability to construct an audit trail. As explained in Chapter VI, these two security 


services will deter the penetration of MSHN by unauthorized users and will contribute to 


86 


the system’s ability to make users accountable for their actions. Through the audit trail, it 
will be possible to determine which users are using the system improperly. 

Another recommendation emerging from Chapter VI is that MSHN should adopt 
the philosophy of “Least Privilege.” Users of MSHN should only have the ability to 
modify those aspects of applications and machines that are part of their responsibility or 
concern. Unconstrained malicious actions by some subset of users will impact the correct 
operations of MSHN and its ability to schedule jobs appropriately. There must be some 
access control mechanism instituted in MSHN to insure the integrity of the system’s 
management database. 

The last recommendation is that the MSHN design team should continue research 
and examination of the multipolicy security policy issues presented in Chapter V. MSPs 
will enhance the adaptability of MSHN and potentially increase the number of resources 
that can be utilized by MSHN. This will increase the effectiveness and marketability of 
MSHN. However, multipolicies are a relatively unexplored area. Major challenges 
remain to be addressed for multipolicies to be successfully applied to MSHN as discussed 


in Chapter V. 


Cc. SUMMARY 


The MSHN team has committed to incorporate security into MSHN to promote its 
viability, marketability, and trustworthiness. In this thesis we have undertaken the first 
steps in realizing this commitment. We have demonstrated how fundamental security 


objectives, principles and policies may be applied to MSHN. We have qualified the notion 


87 


of QoS. We illustrated the role of security and its influence over the other services in the 
QoS domain. We have stressed the importance and purpose of a security policy, and 
presented a discussion of the types of security policies and the available mechanisms for 
supporting such policies. We have concluded with a security analysis of the SmartNet 
interface such that the vulnerabilities noted might be avoided in the design of the MSHN 


interface as well as throughout the architecture. 


88 


10. 


le 


LIST OF REFERENCES 
Freund R., “SuperC or Distributed Heterogeneous HPC”, Computing Systems in 
Engineering, 2(4): 349-355, 1991. 


Naval Command, Control, and Ocean Surveillance Center Research, Development, 
Test and Evaluation Division, SmartNet User Guide V2.6, June 1996. 


Freund R., and others, “SmartNet: A Scheduling Framework for Heterogeneous 
Computing”, /nternational Symposium on Parallel Architecture, Algorithms, and 
Networks (ISPAN ’96), July 1996. 

Kidd T., unpublished notes 1994-1995. 


MSHN Investigator Meeting, Naval Postgraduate School, Monterey CA., August 
25 —26 1997. 


Garfinkle S., and Spafford G., Practical Unix & Internet Security, O’Reilly & 
Associates Inc., Sebastopol, California, 1996. 


Stallings W., Network and Internetwork Security Principles and Practice, Prentice 
Hall, Englewood Cliffs, New Jersey. 


SRI International, Secure Distributed Data Views, RADC-TR-89-313 Volume I, 
December 1989. 


National Computer Security Center, DoD Trusted Computer System Evaluation 
Criteria, Department of Defense, DoD 5200.28-STD, December 1985. 


Anderson J., Computer Security Technology Planning Study, ESD-TR-73-51, 
Vol. I, AD-758206, ESD/AFSC, Hansom AFB MA, October 1972. 


Shockley W, Class Notes, CS4605, Naval Postgraduate School, Monterey CA., 
October 1996. 


National Computer Security Center, A Guide to Understanding Security Modeling 
Trusted Systems, NCSC-TG-010, October 1992. 


Graham G. S., and Denning P. J., “Protection-Principles and Practices’, 


Proceedings of the 1972 Spring Joint Computer Conference, Montvale NJ., 
AFIPS Press, pp 417-429, 1972. 


89 


17. 


20. 


2s 


oe 


Zoe 


24. 


963), 


26. 


Die 


MITRE Report MTR 2547 Vol. 2, Secure Computer Systems: Mathematical 
Foundations and Model, by D. Bell and L. LaPadula, November 1973. 


Denning D., “A Lattice Model of Secure Information Flow”, Communications of 
the ACM, Volume 19, Number 3, May 1976. 


Department of Trade and Industry, Jnformation Technology Security Evaluation 
Criteria (ITSEC), London 1991, Harmonized Criteria of France, Germany, the 
Netherlands, and the United Kingdom. 


Canadian System Security Centre, Zhe Canadian Trusted Computer Product 
Evaluation Criteria (CTCPEC) Version 3.0e, Communications Security 
Establishment, Government of Canada, January 1993. 


NIST, Common Criteria for IT Security Evaluation, CCEB-96, January 1996. 


Freund R., Hensgen D., and Kidd T., MSHN Proposal Document, to Defense 
Advanced Research Projects Agency, 1996. 


IEEE Standards Department, JEEE P1220 Standard for Systems Engineering, 
New York, NY, 1994. 


Birman K., Building Secure and Reliable Network Applications, Manning 
Publications CO, NewYork, 1996. 


Shirley L., and Schell R., “Mechanism Sufficiency Validation by Assignment”, 
Symposium on Security and Privacy, April 1981. 


National Computer Security Center, A Guide to understanding Discretionary 
Access Control in Trusted Systems, NCSC-TG-003, September 1987. 


National Computer Security Center, Glossary of Computer Security Terms, 
NCSC-TG-004, October 1988. 


Russel D., and Gangem1 G. T., Computer Security Basics, O’Reilly & Associates, 
Inc, July 1992. 


Bell D. E., “Modeling the Multipolicy Machine”, Proceedings New Security 
Paradigms Workshop, Little Compton, RI, pp 2-9, August 1994. 


Saltzer J., and Schroeder M., “The Protection of Information in Computer 
Systems”, Proceedings of the IEEE, Vol. 63 No.9, September 1975. 


90 


28. 


oe 


National Computer Security Center, A Guide to Understanding Identification and 
Authentication in Trusted Systems, NCSC-TG-017, September 1991. 


National Computer Security Center, A Guide to Understanding Audit in Trusted 
Systems, NCSC-TG-001 Ver-2, June 1988. 


91 





INITIAL DISTRIBUTION LIST 


1. Defense Technical Information Center  ................. ccc ccc ceeccccccceccnncceectceecesecs 2 
8725 John J. Kingman Rd., Ste 0944 
Ft. Belvoir, VA 22060-6218 


EMD UCC y Intex PMT aNny, eee re eR is cis kina ss sas oc cdaeeedidesanani aap eee 2 
Naval Postgraduate School 
411 Dyer Rd. 

Monterey, CA 93943-5101 


CO hh a eyes risicida hu nee 3 OG shaban lara 
HQUSEUCOM 

Unit 30400 Box 1000 

APO, AE 09128 


PPP ele hin, © OC Ose eee. css nis ied otters Ce ee ea ticss «ok soca 2 
Computer Science Department 
Naval Postgraduate School 
Monterey, CA 93943-5000 


DC OVIERIA Umvee a0 werner ees cai oseiean cicics oa eee RET: Ome teenie Sane ee arte 2 
Computer Science Department Code CS/Ic 
Naval Postgraduate School 
Monterey, CA 93943-5000 


Bem) I 21 AV LO tener ay rae SRR cor «os te a ED ck teeta 
Computer Science Department Code CS/Kt 

Naval Postgraduate School 

Monterey, CA 93943-5000 


Pree ohn. 2. English; USNR. oes. ccc iccndusen.siheuseseeeeen eee. 2s. eee 2 
290 Adams Street 
Milton, MA 02186 


pemmbmisiaine W. BUriiait men aeeri as... ac. sion seene Soe eee ceaces o. 12s deeeesteee agen 
R23 

National Security Agency 

9800 Savage Road 

Fort George G. Meade, MD 20755-6000 


93 

















18 a" IESE 


10/99 22527-1000 «- 
















DA ri 
Ly oy AL? + rue fy ger! LG ry. ae : cc { é 
wars nee i ne | interior hehth yt EY toe wilt 











Pree Oe ed vs ord a ds Pe { 
rin 4 a Ls el | | 

Spee nections Ld i) i rs s ee rs) a.! MW || | | Sree 

ariel aor = Ae mT \ Se 
Phi x aed as A fb re ¥y lat dda aU Wi | | 
pane br ee Geet oe | || hee 
Phere se ars = wo Ail i \4h Pa 
inetehse PRPC NL Cras Son Td iw CAA aes cn U HI | 


ear rt Cee Yes cite ete hol Aictobrebans} CO ee ea 3 . 
Cee Soc ites eae ee ae ee PN oF i A 
eer eg Seen aan bret br Le ede Pe etd Pe NT 7 
(os 7 betas He ist Lies Gay pair Titer her ied me a 
vy ry Ce ee hs Medel ory A t 

eevee Sear mea oniree scale ten a roe Sor 4 1H i pn es lat Aer aes 
eer Ey ee eT Boe Pree yey aaa aE SEALE a a 
byt ee ee ey tn bar el 4 ree ray Pde si leet 0etady 

eae Pe ere Serve ete Se eet) Mer cre fi 
re Cee ea wits 































ae 
a ee 4 i Par eh A 
Pas oe ER » Re a ist lr at aa Q te be Ct a nanan apap anh fi a py coe 
re + CT regs? st = ha) a ‘ Lh 
ors je a hide hee: i Tie % ate CoO se 1p rn eohe ead e<«f medee gine kh ' ¢ Hhtebel dG 





B Fi 
Nu ee ay Cahn 
Rr Peery Com tt rat 






or CG * 
4 any Re eee oe Se 
H Te Vd as en Fi r* het ‘| Aree The eae ie ie 













Ua a Ce Oe Sit bet Ce Pe a ee ce ee SOS ' at " re | ran | * 8 be ‘ 
D 20h a ee ae ar Lr eae Pe] re a ital ya Pate ray oF yo Bh Ann rs oe 1 A Po ae a tif 6 i ry) Pa | Pan a) : iF 
Un ee Oe a ee ey at 2 Pana leis | i 4 
a 
Pl 


OL ee ee Ls et 


re t- La ee ee] bof t te Surette 
ere sat ad se rae 





Par Lt 





Pe PLT Heb gaat * 













3 i ee ee | Ce Ley es t 
ee rad tae ae ed tal et Pir t ee Prey UP Fy ary ooh FF 
Dis \ire te a iee eee Re ea aria Prey ay eet be é RAC aa see Af ra 


tT 









fe cry ; 
ete CA ror Ly fy Rhee oy PD pals: Fi] 2 , 
po tha larity ude bebe Peer fee eT eC Tar re i ; ; See AUNT a 

oh apap) a lena) Pre wists Pere bee rer Tee g 
ry Cr A ea bres art abba r) rite) Pri f 


Ore Boe Fg 
&ivtem 










es Ld 
ea oh ara 
Py ee erg U 









Pe CRC Tee a OT 
he Pape aperey yt wi Le aa ‘ 
Tread burton md Ae gel co at REY rt 
ra Piet PY | po 








Ay at 3 
ea rae A a ed 
sArbetrtate  hhetear® Or ere ae 
Petes 1 eee ea ee Pe Se 













i 
2 FeF0 1 os. 


















‘ e 
oe ae To 






























































































































































































tab ape reek Wat Beer ee toh gt pissin a ve Core ras) ies PUNE . ke Feet 
a fa . , Le Py 0 ae eras | a iy . 
ches rth eect mrt ees Pa H 7 ee Petree re Py ers RY TO ae a) 
abe Febeliawed ans ut stad abatateors, i ‘i i. Tare rs oe ce eta) ae Ce Ame A 
Ly “tots n gt ct Ane be ‘i Oa sh * o Faa.t “ee PL Pay 2° 
hat ore tates 1 oO a cre rs ee i ou ope yl Ci A 
a CLP ee Soa aasae LEP Ce ne | Pa] a ae ar Ce ee) Cr en A Py 
re} her af Pa Td coe oy Pe) Ce ar fap, D oan e 
aegis Sette CIRC OY re aE asec BCI BERL ocS Dick Sve LMT SO Ds DigsuieiG PaO et A , war 
b-4 it aoe Py th ed fet hey LA a H aM eee ta Pr re Hea ¢ a8 Oe bere a 1 eu. ny r a A ate 
b Ca im a A a f Cf es t Cn i ee eo 
ozs eae Sa eA rr a in OR ee es Ree 
Ebel ay rtrd eR a ee en AM ae tee beet FU (ee 5 a Sane 
Sonal aia oye Ee ee yr ay te Tg ] st . batetets a ee . Se i » 6° fase . 
eaigus uate reer me ete AU ey eee | aoe atoll A rs Y 
aero ed eli ee ee Pan ete Ved oe Gavafet wnFob uy test 0. 5 ne 7 = o ee 8% é Pa 
er te ed Pees Pelt Befarel Primi i tates hiss CY ee Te et e 
R b OE ti Bet Db to sr0ky Ce ee ae ee ara seu i 
H Cau 
a thats 5 ar, Ae Lee a O si ; a SS : . 
ti 5 ; A 
7 +a sa ees Fhe corre is ates ee Te Le Ny . , " o ran Pat ear F 
¥ Le te er ee Cara ee epee a eran A ‘i a) A 
Do Ma Sweet 4 if P aie meas } ae Pow an Pa a ten at ne iB ree bek? ee tens RP tye od) os 1 5 He aa ae eae htt sare ’ x 
5 ¥ Li Te ee ori a Se hid Pee te CP. ert ee ie Oa CW) ee fe a oY A r » 
; [aot ere ry Pie? £7 ALC Fh rer vhs ! 1s ae aa cna We pi Pa SRE one nl x 
é rast ss fe roe ne Fert eo af 8 7 doseryt dnd t rT) phy aeg tl Cn 0 rl 
" Lelie bg dah 05 glghetite ty , ae a A To Po tpt my # re 
ot , Pe ead eri éouaty Ta es re ae ee. f * Ft A 
Ye Baral Be ae ee oe ee a ey eee YT) U he a ae | ‘ to ee | 4 5 A a 
ok te ore CPt a a : eng eed Bie SORE UCT ALPE Le ney Ogee Ce ey ee r , 
eh Dee US te te ee eid tara ol PE ore iu a PO Ore Le ee 4 oft a 7 - 
Sach) Pea Peete d Ad te et ee Pree ale Lee he Sabet yg dae AG ck a ns ct | Ce ea ee 
5 a y 






° 
Fabs PS Ap Poet ok 1 
Ae 





Be hal a cue’ aoe eee eg ite 
a 












































































































































































































































































































































































































































































































































































































































































































































Peta ate ve A 
Pere ae Peer ot Sate La A e oe 
ee rt ee re ce ny Pf O 
J iid 
3 ‘ 
oof shai nt tka 1 
> * # thie 43 eT I @e ‘ 
AT re Caray Pa 
ery i e 
' 
u a Li B ny e ' 
¢e ° 
Ps ee) ge 
P ir ’ 
au MY 
» 
6 
J 
* rd i 
ye ey | 
Pe ea 1° ' 
am = 3 ae sia trod f; 
Pet ind- o bedi rs Polat r 
“gh ata ata" w atta detele ee Py 
fe \4 al bt i Yaad 
PY aL 
Pi ta 
'.f e 
', 1 4 
| bd b tT 
Pt ‘ Fl 
ta i) 
iu Ed 
sa . ' 
a 
ie es be] 
Part Si 
7 fy 
U ‘ ’ ny Ps 
* a Pe f 
Pm. » rian - ts t P f e t 
wey be %e . a rat y ad 
aT; ee be a | n ? aa 5 ° o ' 
is p ‘ ee thet ’ o oe : H 
- hi yi Lp ~. 8 Ph a i i ar) . ar) J 
? 4 nD a sb ue f , Pr F - 
A F ¥ ke ae 2 ae Py semi t ¢ Li » 
LU Te i CY ee UG r H a 
io > 8 Py ’ Ps or a a oC : 
ry a a) S » be rr 4 Se , A Ff | 
e PP F ; » A H Af nee ars Sea . e 
re: te a) we ar Li ae rh ae r aes y ee rt O my 
4 ry ef id ae Ur Pu a i] Pd t i ° Pa G a é Py 
Ls %, es *éere se it ny r e Pah) » 
, <? oe? i nad e fs of ar) ‘ ' a - 4 p : 
ii Pyakd rd H | tr t er rar aa A 
wD Lee i | en a b 2 s” Pa Fi 
oe, . Ff 
ud 
oe S 
dle 
: 
Fe 
oa 
J 
U e 
C7 
J 
‘ ¢ 
J ' ' a Co 
i 
’ 
' ‘ 
n 
cy 
| Pe | Ld 
as ry 
J J 
mt 
‘ ry 1 ry 
a SoC id Cee 
ah 5 wtahst 2 Le Ld dedi Tn tee a A Pl re 
oh PereM ws” <% Te ae ie dat a Lt te a oat Lal rule x iat dt let bes bon we at cae 
tf a ae tet we? eee Cee ey td aah eer et Ay Pre eee 
a Patetaets tue ra aah Pe a ae ak Ba ar re UF at hak tat als, 1 denn Se dt dha el tel he 
Po viet re beled. at Ce ee Sd ROT SLs ae ha oe ee ae v 3? ie ey) vee. iT poh as ry, 
mk he eae se oes Tipe) er yEPye © eM rererarenas se! Pek 17 we bed bl PS bet tol See ee zt 
bp saa ea CA ae od ae talttas bad nme Sane de Sorta atonal gr q . be ee ed 
PS tore te el Nala aah a eer nts! ‘ Pad 3 444" rt AY el Le ae | 
bah 8 he be > ce -0 d i a t's Died at eae) " % 
E62 4A A eNO H ef 8 Fant 8 : bd 
Pah, SP SU FP et A Pe ae i 5 
be ah cn a a es Bl Te ak 2 eit En bee 
re ek 1% " 
RAE ee tt 6k ft or 
en eae . 
ee Soa Sore. Sars a 
1g 6 ek a ay Art 
bet ich _ait Selh Maat, nk oe ih a ; 
a near "9 
SY ere yy fo eo ae : b 
lad sh tea ss a ae 4h Pas as eh Set Oa Ora | a 
are Pitan a tae Be Ok See at ie pode ede ee cmed eh Ca meme MH age « 4S. eae 
at “are it ee ee es ee hoe fe Mary ah. Me Plas te bee il Ca rn eo i he Purge 3 
OT ts delle Pd eae tan allel ad olan Oe Ss at hah ee Tk Ul alte Rabe oh. te PRP ehils ats rapt AT ¥pe* @ > ray A i 
eS ee a ee Do hte ipa el CLS LF te i be 9 Te Ce ih eo Pee ee eerie Ya ed dO al a . D n 
Sah A hese HE A res ts Mi hon en Sh a eer ythters* HY bt oot it he ht eat td Py ae os Yd bt err To eee Ser, Py ee ee eee 2 9 . ry Pa erin) Pe ha Pn ra eee P wa F 
OO ans eh ee ad td Poa al Oe teat tld Pe et ra et eF | Lee ee tte Td LD ao) aa Hef LAT ay Pe Ld be Oo) Mk rs ot tes Ca Tat st rar COND “4 PY Pay . me e . A 
a edt Bee CEE Ue Lee ten a at be PS ine beh ok th geet | ae nam, “Stebed ses oatntatg —=y" 5 were, © Beet Cee bas Pe ‘ Cie . 
ARs QP PATS bali a Sd he ae aha thls ba teh th ba Seid 94 4a he hd ae a eta de: i hes tel te Cd de eS Zo ws Re . en Bye UF Cer ie r Ny 
a ek at id chen ee ha eae LT es sash Ae oe La ah eye ed be td da Ph PhS he Se ie et Se i Os bt ae ry | Wr ee LT CTT a ty is ok hd Ce ee S$ @ get t my yg Pied er) a os a #8 , = 
be lie tea he ‘eaten a be “ap. Soke hat be BP ee ers pare ese hye at ea IEP Ve vate pera sgh e, eereh na? aceckse MLA Said oePy dey ETS PRTERS sey* tee? te ao | Ln ve @  feyetrt og CO Aa 
sah eal Bi Dip sede inches tea de Tap Daneee te Ae bh ee LE Tt bi Sh Real | AT ee ne Ea be ees bo he ed ald oy hh. ar at a ce CF) ee Lt a sf eae Te = oi s 
i jek We ahd Se ak eek a del naan al | So) cated ah tel ak oh aoe odo ah el Sa | ‘ See tL Ph. te CW Ra as tel Oe ett Xe 7 Pd 8 . rr eer? Pa.) ee Le ry har ' Cera an) ee, Yan P 
LY ad Meth Leal pce 2 Sp tele be leh as tal baka Dal hse Fs Soda ke bet dd oyrarsryrskyesere, esitatatece? LY % eat es Sead fe Se ee ee ee Yo CT i) » ' ° ry 
Lad sa: adh Soham Sea hapah hatahFh> h-a te k a aL 406 ne Bead tsb On* UyA_8e ids tee tr ae , 2 Pyrate = Fytat a weedy ede?! ot F ar H 
tad onthe to er To tad Sd eed hs gh Se bende oth tel yretiees = oe Ls ot lel de ek | CE] tt Ye La ra | we te matgts 4 p ‘ 
Lin oh bo cap eae ta hh RE wi Sy ed Gol kk ht Ad mihi eat pt he yy Chel { ‘ ay | n ry 
ehlin he pate A, mA, ae lad ah Hey a a bety a4 ie a! a » tat ae ' . 8 
Oey ESS: EER roa rh PT ' A a) = 
nt Pee ey be We tot bee) ot v7 » Saag D ra Fl ' 
it tattle Micracnd Rian 19. ee Nate te P + we 5 , A 
Sere tal ald Lied ad bet bh oa sd ch | ay: Le la te Lh 
St RLS ed ee tarts a rset ne an A 
Lari ober “or 9 4 pte Fyhy ope” bd et seh tel ol let Da ’ ae Ya ay Ch dd tal Bd Od a rad D 
ey be tnis bed ly. hl ‘eateadiel he Tek “i eli ad th Late cae hen cl de te ee eo ] de dararn tarniag pretence bn ts et Pt ek bd bn et “el eet a tg i Lire e ® a U i 
SP MAP EAST. BT yhe” My UPBAEY ce SS als Se heh Edie tee atl Sel ed be bie Soe eek be kk oo ek My Perr) Tr pererenut Jee Ca | a 
oa tes ee teh Dr bi odie he, Sadie eat he. Yared tad ase Pale, PT Sa a Geyer, ants ‘OLE fo Boer eee os Pert oe a Ln a es i] be ty f t Y 
St Oe eee Sah De te ne ten del oh ee ho ed oe LS Lhe AE errs far We hs ed es PTY Pike et i Ls er fee Cid at i be 
adh ibid andes LL “oan coop cde. So ter Meet ta, be: tin seeds ak Lar Babee od ae el the EY ry Ede aaah et Bd ta oP hl od he Se hd dao bd ead De PLL tay iT prt ot. 8 ad um . 
ny etre eet hy BLS bya heheh dak So bl ted Sal = a ide ts he La od Oe "3 WU un mE at NO BAR F he Lae 5 a a M Thay 
at bate Ld he tet cote to ea ered Prey Toe hy Pty ter oer a ts Ree ie tay Ager Pung Paty Let ee es ed nb! teary) Pe oe | Y 7 - 
i. Ta Sot Dad an eah tat hn at Yad Tak Tat te eto ah et Bd Statin regedit ett spar an ba ea bk a eer et 694 bre r a ete Gaby Ln) et ee eau ee bs ae rear » a] @ Sat ry 
te ete tet te toh ee CPR RT te et et te OL aed a ite ety FLY is sere ot Lie he he te bed CL ee Bd geutgpoe & eh bd od f 4 2 » 
REL a ode eee Sad heh Stim td liad aad Ck Wk al Di hed Mi ad ad tah od Sad ek oh a OA Salted, Od id Day Ld i Dik Thiet Bet ak tek ee ea) ny Ty i » 8 « r t 
Shes adh oll ed, Bs “ue, oh Sot Sieh ach Soh) Rated an oy eb eto heptane det PBT PE? PE Ry CPeaD Ov LIQ? OMG Pete, Bhar ete h Ura caty %y heme) ee zh he are A 
ere ea er te pres ad Leth deb bah sche. a Pee aha] LI J Lh aeeutl 4s ry eS Ook o y 
sd pet cetcsas ts hep etek, dla Seni, tah Tat, Re Yatadheh, asl Sah took TL Dik don. adh, a ek Sk os “es Pad Ke Peas orete rosy heey oe | ae O i) a | ’ rp 
Bh Ike ee tee err Sh dad abe opecopti bd Soto ta Ree ar Pe Ar to iad 2 " eso! oe es ee ‘ ra 
Lat fa ay tp Bah ete De. Aiba eh A ch Oh ah elie test) Bh eh LA oe 9 er er ae Sg Smoced seri be cet af Pe ee) Pee ae a a f 
a AL i lad co eevee tah hide Oe te tea had bo Piel ad it aie eae + oom o eC oe sae oar o * m4 
hal Tee ths aah. Lectods hekc“h ‘Bal Jabcted ha oiae beiek Lal allD a Pe " Ci st ae ae | » > Py ree ' 1 
2 PAE SPE DRC PER EME LTR TE ERE PE oye Pate) no A sr o re a rer) Aer A 
a bette oe need tn sred d@yter Py Le | taf ny a) ' = 
Sal hae teckel hah th C Salad “ sows hy is a en Seay A . . v ef 1 
erie ere Lard PUN U7 woe Coen we ‘ ' Py a 
PEP Seer yr ens 84 MOTE ME ET YE hee TO Se SPs cork) Pee, 1d i Cn eS , P 
Lek bil tah 1d hi Ve La ih i oh ead ale ia bg ieh Did Sal dh od el teh aD CML) oe ie DS . ' <n ; sd ra D 
ste oh tek hes hn ted te ah Dm tak At SE shhh SE, Ait ik St ae en tal alien Su aie UP ABS. hg teey hh ee? athe teach mie Per eat el or Oat Oa ar) ee) ry rr 1 4 ef 1 r 
Mid Uh ol ho bane bak bok ah na ak te ek oa oe bd Lh Pon cade dat bee bat were St td ek de De be ee Ce rey ery M Eada hs Cmte pry rt de Cag Rage Pie 8 Cd Iga ta he o thot ee . eue¢éeauu ® a 
eee ee eer acne father een ferent y Lye (ett Pir ST et ald be) re hs Tbrarcuscathe be ets ‘ Pathe akin yh a he Sahat a LY id Mies eke et x i ‘ YY D 
ai neanp cath rb scare ned nlc opin Fs of ENON tet eee Gane Perot Mt Tere ial) Cee TOL a eee et ec ca) rae ee | ot] dem ttt, P 1s 88 tryed ye ar . te. 8 - A 
mymy yes eave ity enue use yeten reeds Caras *ATeP: Root Nd hs hes bee pes) ap aan hs Wad thy bl bk eT ae PS ee te ee tt | Seer roa so Le he TT Can i ne Y eos tt ae 
5 take rh fis da bed De pia bet ec ep Lies Pe poh im. hoe SER tr oo oe RST I rerun e ial Leey UC a Ys i Sear ie ie Side lnebend La ' he Pt ears Oh eee Ba re a ‘ ny cy ' ‘ 
ya Ryde 14 apetehee 5 ah ah le dee Nah Sah Ah he oer uy why ate ny ecpt brutes Op ET Het vince ot LR A Pr PTTL eee i aut Ge MS er ar hea Pi ee ee eye ab pe fi Lr ie ee ee a ete . rl 
ak Be aah ha PR babe Wb ak Rael yeh Cid Sota be et etter tard teh Toy en aN DS adh eat Th PU ee et US kt phd at ler bn cn ie has i as en Sern etaeue ® v oo ree es eee ee ee O Ly 1 U . . 
ha Ldeheh be Sah, dh dab oh Sok the tah Bad ee errs rhs AEH Fay" POU SSP pr ery) PFEr ina AS ee 0% Fed! ASP creme rere ae Pers aera oy Heth ets pet Py TPC ed, ee | Ta ee) r i ‘ 
ar oe wel Lal ed bd hs teil tektad take eas toh tercaal et hk tat stan Tat ey TT al? PG ag We RH AM OLR Ee Fay peat iepes UT ee eet i) Pear ald Deer) “ bd a Ty ee SS Se Re 1 C20 ak Sed oa bel he rt a ' oyu 
tp Ah ages! th Fete dE SE BALL Le ta EBL SOE eR Pe hte Pel Tae he Gt rend] r rare ta) oe Ly a] ee ee ee - i ee | ee. res ri r i a 
Abel sD Ae ia heh Dah Dh odin hese Dn Se Lan Mit ie BA ah il ell deceth Tad Bek tet Uae Dd dud nD FG eu ah ol at BoE oak Siar es " oy? a Tear . re 5 ot | een es a a mh) rie a Pe Cart 1) ' i ba au a . 
Loh tt te ik bel de tn de od tek ah ed bh oe od ee Sal oh rd ce Teepe ton Car O As ia Cer i | iT aCe eat ee | a ‘ bt a ae Oe et aa Oy ' v re ae ee | ,o4 ' 1 i ' 
Le dah Ba tabeiab ated Sahel be el at de latettd wrt Tn i eye veer pS ad qet Pa iy! “crutches Fare “eg r A ‘ " pl 
Oa a a | i ry mee ed a vy ee a ee are) 4 Par A Fi 
Be y'! Aa 1 CSL 4 Utete » eeed be ers. °F p oan 
i to] feu tite Pde | Cet Tien D ha ‘ 
Cl ee ee Ce I Can) s 1 & 6 ra ' r 
Pe re nS . 
A pd Ws ' 7 ry . 1 . 
Mt res Lean cna n . ) Lat » 
rer oS hl Ad hed Lad r* ey hy agh an te ws Aer 8 Ln! 4 te ’ 
creases 2d sqmer Per Pree Le ta re Cay ee ae + . be ry 
eerie ee ros Edie te a Ae Pere a ahaa “ Ke oe i , 
etl eho alk rad Ld Pda fo Fal belie ied bi del a oh sla bo be ara or Rerever "6 ptebebety get Ettoetetl. we ee tye ome tes 
MF andreas “aoelppan ep chet (pets el enabled af a Se ul ie th ee he or Rd BT Th ot een Witt ead ed ee CL c bd 
Peyote AR og er tit a CPt eh See cee al ed ry as Dh tea det bl ha he rete Sta Sue Pt rs ao ihe Ricks Pee Ob mba P Oh aly 6 ae Na ad H ‘ 
las CEE LARS Av PN NP SES mysyoregeiiet se Pi aa Foie rere: Pied idan ot Ld he Padurens ris Les ts OARS Fins hs Prey iri wy t4tee alg gg St? 5 Oat ye D 
oth 2th Wh Dh debe Deh eh at ed Sah aed a helt aD Gatoha deat Lae Ms CAE bind tay fin ae tert eH vit aegis dey Naor tegreae os nby ren CTs f a te 
nate ere Mined emo a ake ha ee Pat rer acy ore or PCat pet Pere ee err eG Mee Poy a Hie ot ' aot eeney ¢ "9 ory 8 we s . 
Thre la be te Pb seth dsl Be tah 0 Deen dhe Bh Woh tek ie ted ar besa bh al hee Sys me VU LORE ator t yt ul or Ae ee ts Meare UT | reir eather cee Fy ae a a errs TT | a Part her eer ry roe a 
ee fa dae rade eo 7 Sea pei a Ps PA Pe > Pie eed arora ry “ee * eee hd Pat Lae o 2 Sl to, ‘ sa oe tee e % Py La U 
“oe Silt te teetphdel deca meen Bb-abe ee ert Ph i ee Se fer ete a " eee 7 Ne os 8 Us a eet ey orb kete bs 
Leepatatete it gases hn Senet pai i baa dor Toh Sh ec Sn Se ir! eeeulye he re Wir Ph hee re hee ae me eet IP SOU oF ghifoh Lo te A ee ee ee et “ i we a 
Bh hah] ph ebtiniesteh Me thal hehe Sek tod Feats Eas Aa et Ogee = gta th ito Nip bata Se a re Be fer Diecast oh er Sh ee LS i eo oe ee a oT) ’t hr} 8 aL g 
ed tal ol den ta be et oe aa ah tel hd, ah bn he ch ererara tens Purgh ery vrRr ese ee teed Bia fne se tN be <s a , ar oT) Cre a ih a ee es on ak eee OU ry e 2 ry my A 
ah de tain dah b-bd edeed se eo ope torres pe arity te a ores ALUN oid ee 9 Pl Ye eer he ee 
hte ates Sree :  poclch i. eh. gh a bk ROSA eb bene arte “¢ ry L ters Pa) ee cr erie SALE Pe 
be oa hdl Datel ch tad dete hd Rel lt Pred ta ahd ah ED ed bed bt ht at ok ee a Cr ne | ry wim tu tk ge Per a | i O 
np Sobes Fi tat dok84 ha dah del che Labia Thats reas a Ls fe woes Ot Lk bt eas het ‘ E ame ge Piatt. ee ’ 
113 i dat deb bh il st teh Pianta ede ey tai eat Dy : F Ao Pap D rary can 
Sah dats Dalits ati atalctats A ith diet Sen, A) beat Pr ate eriny 5 Pea one arr et atge CT) a | Via i 
Serer Scha Oe ee aren 7 Py te Pr) " Parr ee 44 arvae , n 
et Por ) hee UF be J i 1 1 a s 
yy PER ee ee aT) ry re ee ee se 
oie i) " eqte s Ca ee Cie Ly ‘ 
Ort yer erent rey ert See he atti aie bah p 
ee ee Dike whats i rere ery yee as te rare 1 Fi 
hd hit belt ash Leh tet te de he [id ah met hd aL] ra fe ae g F eh SADC pte top a STer tee 8 ce et ee acy TT eeY | Par eit Geet 
Vath intten oa ie! Led lal Ie at deed rural dar eu Ny Ey aE) Vata Le ie 2) | S ap Te 3 ohete Med are ; Nt ee rhe 1 
pip tibetan ik toss dk hacdeatohed tibter ei aispale ay Al o-a SED Ad eo Be ita "ete NS Or hr en es ea ott Hs tt aT p ee Peay te reqt tle es es Lee a 
wh “is Tal fen esnck lasik ohcdus fod peat oe dl cae eda 4 Bets dee ta v s Des beet t ee Pg iste e rear Hi Or er Ul ie ST Pari rae ie) Is . 5 1 ats « a 
eid ete oes ek aL eld ee Re ar hog hh ek ada He perry Vasyre LA PaT bd 1) th aa ee Prt Cee ee 2 } f oa Ti ST a eT < 
ne eh pack h gte- eo abd Sale Pr al Sr ret tse ana ot Crt hy ean % rte ie bet seeag ek ea ay aad ir er ee er eC rr | { 
Pedal oped aha de sede ibe A nree hy bled J saintssieenaragaice eh an as aha Oe PUK aera ne @N dEa tet hate beryths iets ao ae a verb eye Pec ee : ek o 
tdi ich a ppdeiegtgibs PANERA MLR Pre Suey ib ode BOVE Ser byrne cies RYE e TEs waded 8 9g |” SHreQeyns aC obs erty ae Pee tart PO U3 aS OC a eA Cert, at eto. p 
hal ek a RP ae ise eer EON ee REY TELE ne tt UMHS AF HE IF Ut g CA a rey recat gta Ppa ives Cre ith. Che hihi Se Pe ae ae aT SPC Lay ee a) Petr a) Peay rl ry ol 
be Dap Ae plaid te OA ARE MSC HRSA ML CNET RMA at iy ape abe eh Se ; Pret Sa ad 71 he Wg rh fpre pa ok tee Site et Sar tee an rn Sera) 0 ate 5 
Paha te dh hag eer ee bed tS hha el | Rotel kee aR ata Pviee FPR tales « t Li i ie 5 verb’ 4M 8 ten #872 10) peace’ # 
toh tee in pales ple A Uae ueyeyT hey © Da boy py eaod (yeoman ee i a we de 3 cn F oary 5, wed g adept 8 a 
bt eetcrtete oanate hE Tae ora) ey el eee Th) ee A 
Ta ae ae a To oe ee n saatly Se Lae . Par] O ot Pie Pol eee 85 a 1 ' 
Highs Gi Hye? YS Pp Ue as i i LT tt ee Be | Ere me 7 oh as | eh ee ar Po Ct re | ee ry ’ 
Cd eee hd Ran Om ERI TiREL TET) ai a ee ie a) tee 8 Pe ee 1 Fat 25 
rrr ag a Pretty \ t vet an Fi Ses le bead ‘ 2 ‘ 
s rt a. an | * ~ st s « a | a rh 





